tokens

Create a new API token for programmatic access

This endpoint creates a new API token with specified permissions and configuration. The token value is returned only once - there is no way to retrieve it again, so store it securely immediately.

Token Creation Process

Specify token name and type
Define required permission scopes
Set optional expiration period
Add any metadata (IP restrictions, etc.)
Receive token value - SAVE IT IMMEDIATELY

Token Types

api: Standard tokens for API access
- Inherit user permissions (scoped down)
- Recommended for most use cases
- Maximum 1 year expiration
service: Long-lived service account tokens
- For automated systems and CI/CD
- No expiration limit
- Requires admin approval

Permission Scopes

Tokens can only have permissions the creating user possesses:

experiments:read - View experiment data
experiments:write - Create/modify experiments
reports:read - Access reports
targets:read - View target catalog
tokens:write - Manage tokens (dangerous!)
users:read - View user information
invoices:read - Access billing data

Security Best Practices

Immediate Storage: Save the token value immediately and securely
Minimal Scopes: Only grant necessary permissions
Expiration: Set expiration for temporary access
IP Whitelist: Use metadata to restrict by IP if possible
Descriptive Names: Use clear names to identify purpose
Regular Rotation: Rotate tokens periodically

Using Your Token

Include the token in API requests:

Authorization: Bearer sk_your_token_here

Important Warning

The token value is shown only once! If you lose it, you must create a new token. There is no way to recover a lost token value.

POST

tokens

curl --request POST \
  --url https://kq5jp7qj7wdqklhsxmovkzn4l40obksv.lambda-url.eu-central-1.on.aws/tokens \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '{
  "expires_in_days": 1,
  "metadata": "<any>",
  "name": "<string>",
  "scopes": [
    "<string>"
  ],
  "token_type": "<string>",
  "user_id": "<string>"
}'

{
  "created": true,
  "expires_at": "<string>",
  "id": "<string>",
  "token": "<string>"
}

Authorizations

Authorization

string

header

required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Body

application/json

Request payload for creating a new API token

Specify the token configuration including permissions, expiration, and optional metadata.

Response

201

application/json

Token successfully created - SAVE THE TOKEN VALUE!

Response after creating a new API token

Contains the newly created token value. This is the ONLY time the token value is shown - store it securely!

List all API tokens for a user Get detailed information for a specific token

curl --request POST \
  --url https://kq5jp7qj7wdqklhsxmovkzn4l40obksv.lambda-url.eu-central-1.on.aws/tokens \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '{
  "expires_in_days": 1,
  "metadata": "<any>",
  "name": "<string>",
  "scopes": [
    "<string>"
  ],
  "token_type": "<string>",
  "user_id": "<string>"
}'

{
  "created": true,
  "expires_at": "<string>",
  "id": "<string>",
  "token": "<string>"
}

🚧 Foundry API (Alpha) 🚧

Authorizations

Body

Response