Attenuate token

curl --request POST \ --url https://foundry-api-public.adaptyvbio.com/api/v1/tokens/attenuate \ --header 'Authorization: Bearer <token>' \ --header 'Content-Type: application/json' \ --data ' { "attenuation": { "allowed_actions": [ "<string>" ], "allowed_org_ids": [ "3c90c3cc-0d44-4b50-8888-8dd25736052a" ], "allowed_resources": [ "<string>" ], "expires_at": "2023-11-07T05:31:56Z", "non_destructive": true, "read_only": true }, "name": "<string>", "token": "<string>", "attenuated_parent_token_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a" } '

Security Model

This endpoint requires the token:read capability.

Cryptographic guarantee: Attenuation can only reduce permissions, never expand them. The Biscuit format ensures restriction blocks are append-only and cannot be removed without invalidating the signature.

Self-service by design: Users can only attenuate tokens they already possess. If you have a token, you can create a weaker version of it—this is analogous to being able to share read-only access to something you own.

No privilege escalation: The attenuated token inherits all existing restrictions from the source token, plus any new ones added. A read-only token cannot be attenuated into a read-write token.

Authorizations

Authorization

string

header

required

Biscuit-based bearer token. Obtain tokens from the Adaptyv Portal or via the /tokens endpoint. Tokens encode organization membership and role-based capabilities; the API verifies the token's cryptographic signature and authorization claims before processing requests. Use /tokens/attenuate to create restricted tokens for delegation.

Body

application/json

Request to attenuate (restrict) an existing token.

Attenuation is a Biscuit cryptographic feature that adds restriction blocks without needing the private signing key. Any authenticated user can attenuate their tokens to create limited-scope versions for delegation.

attenuation

object

required

Restrictions to apply to the token.

Show child attributes

name

string

required

Human-readable label for this attenuated token.

Names are not unique — they are purely for display purposes.

token

string

required

Existing token string (format: abs0_{slug}{biscuit_base64}) to attenuate.

attenuated_parent_token_id

string<uuid> | null

If attenuating an already-attenuated token (chained attenuation), provide the id of the parent attenuated token record. Omit when attenuating a root token directly.

Response

Token attenuated and persisted

Response after attenuating a token.

string

required

Database ID of the attenuated token record (for revocation/management).

token

string

required

The attenuated token string. Format: abs0_{slug}{biscuit_base64}.

Getting Started

API Endpoints

Security Model

Use Cases

Timezone

Further Reading

Authorizations

Body

Response