> ## Documentation Index
> Fetch the complete documentation index at: https://docs.passlet.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Access tokens

> Create scoped API keys, rotate them safely, and get warned before they expire.

**Access tokens** authenticate external systems against the [public REST API](/api-reference/overview). They're managed on the **Access tokens** page (owners and members; viewers have no access).

## Scopes

A token can only do what its scopes allow. Grant the minimum you need:

| Scope            | Grants                                   |
| ---------------- | ---------------------------------------- |
| `passes:read`    | Read passes                              |
| `passes:write`   | Issue, update, void passes; manage links |
| `templates:read` | Read templates and template versions     |
| `webhooks:read`  | Read webhook endpoints and deliveries    |
| `webhooks:write` | Manage webhook endpoints, redeliver      |
| `scans:read`     | Read scan history and stats              |
| `scans:write`    | Record and reverse scans                 |

Each API operation documents its required scope — see the endpoint pages in the [API Reference](/api-reference/overview), or the `x-required-scopes` field in the OpenAPI spec.

## Creating a token

The **Create access token** wizard has three steps:

<Steps>
  <Step title="Permissions">
    Select scopes.
  </Step>

  <Step title="Security">
    Name the token, optionally set an **expiration date** (leave empty for non-expiring), and
    opt into **expiry notifications** — email reminders 30/14/7/3/1 days before expiry, to
    recipients you choose.
  </Step>

  <Step title="Review">
    Confirm and create. The token secret (`plt_…`) is **shown only once** — copy it immediately
    and store it in your secret manager.
  </Step>
</Steps>

<Warning>
  Treat access tokens like passwords. Never commit them, never embed them in client-side code,
  and scope them narrowly. If a token leaks, revoke or rotate it immediately.
</Warning>

## Rotating and revoking

* **Rotate** issues a new secret for the same token (shown once, like at creation) and
  invalidates the old secret. Use for scheduled rotation or after a suspected leak.
* **Revoke** permanently disables the token.
* **Edit** adjusts the name, scopes, expiry, and notification settings.

The token list shows each token's expiry state ("Never expires", "Expires in N days", "Expired") so stale credentials are easy to spot.

## Using a token

Send it as a bearer token (or `X-API-Key` header):

```bash theme={null}
curl https://api.passlet.io/v1/passes \
  -H "Authorization: Bearer $PASSLET_API_TOKEN"
```

See the [API overview](/api-reference/overview) for base URL, errors, and pagination.
