API access without interactive login
A Personal Access Token (PAT) is a long-lived, user-issued token that grants programmatic access to the EmpowerNow API on your behalf. Unlike a session cookie obtained from a browser login, a PAT is self-contained and can be embedded in automation tooling, CI/CD pipelines, scripts, and Postman collections.
| Attribute | Value |
|---|---|
| Token format | Opaque bearer token β passed in the Authorization: Bearer <token> header |
| Issuer | You (the logged-in user). The PAT acts as your identity. |
| Scope | Restricted to the scopes you select at generation time |
| Expiry | Configurable: 7d, 30d, 90d, 1 year, or no expiry |
| Visibility | Token value shown once at creation β never displayed again |
PATs are user-issued and carry your personal identity. Issuer Access Tokens (IATs) are system-issued and scoped to service accounts. Use PATs for personal tooling; use IATs for machine-to-machine integrations that should not be tied to a person.
Navigate to /idp/token-studio
Go to Administration β Token Studio. The PATs tab is selected by default. The list shows all tokens you have generated, with their current status, last-used timestamp, and remaining lifetime.
| Token Name | Scopes | Created | Expires | Last Used | Status | Actions |
|---|---|---|---|---|---|---|
| ci-pipeline-prod | write | 2026-03-01 | 2026-06-01 | Today 02:14 | Active | Revoke |
| postman-readonly | read | 2026-04-10 | 2026-07-10 | Yesterday | Active | Revoke |
| old-script | read | 2025-12-01 | 2026-03-01 | 2026-03-01 | Expired | β |
Click "+ Generate Token" and fill in the form
Click + Generate Token. A modal opens with the token configuration form. Fill in all required fields before clicking Generate.
| Field | Required | Notes |
|---|---|---|
| Token name | β Yes | Human-readable label. Use the use-case, e.g. ci-pipeline-prod |
| Scopes | β Yes | Select minimum needed. Never select admin for read-only tools. |
| Expiry | β Yes | Set an expiry whenever possible. "No expiry" is high risk. |
Only select the scopes your tool actually needs. A Postman collection that only reads data needs read only β not write or admin.
Copy the token immediately β it will never be shown again
After clicking Generate, the modal transitions to a success screen showing the full token value. This is the only time the token value will ever be displayed. If you close this modal without copying, you must revoke the token and generate a new one.
Paste the token into your secrets manager (e.g. HashiCorp Vault, AWS Secrets Manager, 1Password) before closing this modal. Never store tokens in code, environment files committed to source control, or plain text documents.
Identify expiring and expired tokens
The PAT list uses visual indicators to surface tokens that need attention. An amber β οΈ warning icon appears beside any token expiring within 7 days. Expired tokens are shown with a red Expired status badge and are no longer valid for API calls.
| Token Name | Expires | Status | Actions |
|---|---|---|---|
| β οΈ deploy-staging | In 5 days (2026-05-05) | Expiring soon | Revoke |
| ci-pipeline-prod | 2026-07-30 | Active | Revoke |
Revoke a token and rotate
To immediately invalidate a token, click Revoke on its row. Revocation is instant β any API call using the token will receive a 401 Unauthorized response. Revoked tokens cannot be restored.
When rotating a token (e.g. approaching expiry), follow this order: (1) generate a new token, (2) update your script or CI/CD secret store with the new token value, (3) verify the new token works, (4) revoke the old token.
Begin the rotation process at least 48 hours before a token expires. Waiting until after expiry causes pipeline failures with no overlap window.
Common PAT scenarios
Select scopes based on what your integration actually does. The table below covers the most common use cases and their recommended configurations.
| Use case | Recommended scope | Expiry | Notes |
|---|---|---|---|
| CI/CD pipeline deployments | write | 90 days | Store token as a CI/CD secret variable. Rotate on a schedule. |
| Postman collections (read-only) | read | 30 days | Use for API exploration. Never grant write to Postman unless required. |
| Admin automation scripts | admin | 7 days | Short expiry is critical for admin-scoped tokens. Run script, then revoke. |
| Monitoring / health-check agents | read | 1 year | Long expiry acceptable for read-only monitoring. Store securely in secrets manager. |
A PAT committed to a git repository β even a private one β should be treated as compromised. Revoke it immediately and generate a replacement. Use CI/CD secret variables or a secrets manager to inject tokens at runtime.