Scopes
A token can only do what its scopes allow. Grant the minimum you need:| Scope | Grants |
|---|---|
passes:read | Read passes |
passes:write | Issue, update, void passes; manage links |
templates:read | Read templates and template versions |
webhooks:read | Read webhook endpoints and deliveries |
webhooks:write | Manage webhook endpoints, redeliver |
scans:read | Read scan history and stats |
scans:write | Record and reverse scans |
x-required-scopes field in the OpenAPI spec.
Creating a token
The Create access token wizard has three steps:Security
Name the token, optionally set an expiration date (leave empty for non-expiring), and
opt into expiry notifications — email reminders 30/14/7/3/1 days before expiry, to
recipients you choose.
Rotating and revoking
- Rotate issues a new secret for the same token (shown once, like at creation) and invalidates the old secret. Use for scheduled rotation or after a suspected leak.
- Revoke permanently disables the token.
- Edit adjusts the name, scopes, expiry, and notification settings.
Using a token
Send it as a bearer token (orX-API-Key header):