Documentation
API tokens
Issue and revoke personal access tokens; one-time secret reveal pattern.
Last updated May 8, 2026
Personal access tokens authenticate requests to the
/api/v1 endpoints. They're scoped to a single
workspace and can be revoked at any time without affecting other tokens.
Token format
atst_live_<32 random bytes, base64url>
The prefix att_live_ makes tokens recognizable in logs and in automated
secret-scanning workflows.
One-time reveal
When you issue a token we show the full value once, with a copy button. As soon as you navigate away or refresh, the page can no longer display the value — we only persist a hash. If you lose the token, revoke it and issue a new one.
What we store
| Field | Stored? | Notes |
|---|---|---|
| Full token value | No | Hash only (SHA-256). |
Token prefix (e.g. atst_live_AbCd…) | Yes | For surfacing in the dashboard. |
| Name | Yes | User-provided label. |
| Created-by user | Yes | The user who issued the token. |
| Last-used timestamp | Yes | Updated best-effort on each request. |
| Revoked timestamp | Yes | Set when revoked; the row is kept for audit. |
Security recommendations
- Rotate tokens at least once per year.
- Issue separate tokens per integration (CI, internal admin, scripts).
- Treat
atst_live_*tokens like passwords: never commit them, store them in your platform's secrets manager, and audit the access list. - Combine with IP allowlists at your egress, not at our ingress — we don't currently enforce IP rules per token.
Auditing
Every token issuance, last-used update, and revocation lands in the audit log.