Attenuate token

curl --request POST \
  --url https://foundry-api-public.adaptyvbio.com/api/v1/tokens/attenuate \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "attenuation": {
    "allowed_actions": [
      "<string>"
    ],
    "allowed_org_ids": [
      "3c90c3cc-0d44-4b50-8888-8dd25736052a"
    ],
    "allowed_resources": [
      "<string>"
    ],
    "expires_at": "2023-11-07T05:31:56Z",
    "non_destructive": true,
    "read_only": true
  },
  "token": "<string>"
}
'

{
  "token": "<string>"
}

tokens

Attenuate token

Add restrictions to an existing token without needing the private key.

Attenuation is a Biscuit cryptographic feature that allows anyone holding a token to add restriction blocks. The resulting token can only do a subset of what the original token could do—restrictions cannot be removed.

Security Model

This endpoint requires authentication with token read permission.

Cryptographic guarantee: Attenuation can only reduce permissions, never expand them. The Biscuit format ensures restriction blocks are append-only and cannot be removed without invalidating the signature.
Self-service by design: Users can only attenuate tokens they already possess. If you have a token, you can create a weaker version of it—this is analogous to being able to share read-only access to something you own.
No privilege escalation: The attenuated token inherits all existing restrictions from the source token, plus any new ones added. A read-only token cannot be attenuated into a read-write token.

Use Cases

Create a read-only version of your token for delegation
Restrict a token to specific resources or actions
Generate time-limited tokens for external services
Scope a broad token down to a single organization or project

Timezone

All timestamps use UTC in ISO 8601 / RFC 3339 format. The Adaptyv API runs in AWS eu-central-1 (Frankfurt), and all time comparisons are in UTC.

curl --request POST \
  --url https://foundry-api-public.adaptyvbio.com/api/v1/tokens/attenuate \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "attenuation": {
    "allowed_actions": [
      "<string>"
    ],
    "allowed_org_ids": [
      "3c90c3cc-0d44-4b50-8888-8dd25736052a"
    ],
    "allowed_resources": [
      "<string>"
    ],
    "expires_at": "2023-11-07T05:31:56Z",
    "non_destructive": true,
    "read_only": true
  },
  "token": "<string>"
}
'

{
  "token": "<string>"
}

Authorizations

Authorization

string

header

required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Body

application/json

Request to attenuate (restrict) an existing token.

Attenuation is a Biscuit cryptographic feature that adds restriction blocks without needing the private signing key. Any authenticated user can attenuate their tokens to create limited-scope versions for delegation.

attenuation

object

required

Restrictions to apply to the token.

Show child attributes

token

string

required

Existing token string (format: abs0_{slug}{biscuit_base64}) to attenuate.

Response

Token attenuated successfully

Response after attenuating a token.

token

string

required

The attenuated token string. Format: abs0_{slug}{biscuit_base64}.

Get target List updates

⌘I

Getting Started

API Endpoints

Attenuate token

Security Model

Use Cases

Timezone

Further Reading

Authorizations

Body

Response