Skip to main content
Access tokens authenticate external systems against the public REST API. They’re managed on the Access tokens page (owners and members; viewers have no access).

Scopes

A token can only do what its scopes allow. Grant the minimum you need:
ScopeGrants
passes:readRead passes
passes:writeIssue, update, void passes; manage links
templates:readRead templates and template versions
webhooks:readRead webhook endpoints and deliveries
webhooks:writeManage webhook endpoints, redeliver
scans:readRead scan history and stats
scans:writeRecord and reverse scans
Each API operation documents its required scope — see the endpoint pages in the API Reference, or the x-required-scopes field in the OpenAPI spec.

Creating a token

The Create access token wizard has three steps:
1

Permissions

Select scopes.
2

Security

Name the token, optionally set an expiration date (leave empty for non-expiring), and opt into expiry notifications — email reminders 30/14/7/3/1 days before expiry, to recipients you choose.
3

Review

Confirm and create. The token secret (plt_…) is shown only once — copy it immediately and store it in your secret manager.
Treat access tokens like passwords. Never commit them, never embed them in client-side code, and scope them narrowly. If a token leaks, revoke or rotate it immediately.

Rotating and revoking

  • Rotate issues a new secret for the same token (shown once, like at creation) and invalidates the old secret. Use for scheduled rotation or after a suspected leak.
  • Revoke permanently disables the token.
  • Edit adjusts the name, scopes, expiry, and notification settings.
The token list shows each token’s expiry state (“Never expires”, “Expires in N days”, “Expired”) so stale credentials are easy to spot.

Using a token

Send it as a bearer token (or X-API-Key header):
curl https://api.passlet.io/v1/passes \
  -H "Authorization: Bearer $PASSLET_API_TOKEN"
See the API overview for base URL, errors, and pagination.