Personal Access Tokens
Personal access tokens (PATs) allow individual users to authenticate with the RAMP API without using their regular login credentials. Each token inherits the permissions of the user who created it.
Accessing Token Management
Section titled “Accessing Token Management”Navigate to Settings > Personal Access Tokens (or /_settings/tokens).
When to Use Personal Access Tokens
Section titled “When to Use Personal Access Tokens”Personal access tokens are useful for:
| Use Case | Description |
|---|---|
| Personal scripts | Automating tasks with scripts that run under your identity |
| Development tools | Connecting IDE plugins or development tools to the RAMP API |
| Testing | Quick API testing during development without full OAuth flows |
| Ad-hoc integrations | Short-lived integrations that do not warrant a dedicated service account |
PATs vs. Service Accounts
Section titled “PATs vs. Service Accounts”| Feature | Personal Access Tokens | Service Accounts |
|---|---|---|
| Identity | Tied to an individual user | Independent machine identity |
| Permissions | Inherits the user’s roles | Assigned independently |
| Management | Managed by the user | Managed by Administrators |
| Best for | Personal scripts, development | Production integrations, CI/CD |
| Lifecycle | Tied to the user’s account | Independent of any user |
Creating a Token
Section titled “Creating a Token”- Navigate to Settings > Personal Access Tokens.
- Click Create Token.
- Enter a Name that describes the token’s purpose (e.g., “CLI Script”, “Postman Testing”, “VS Code Plugin”).
- Optionally set an Expiration Date. Tokens without an expiration date remain valid until manually revoked.
- Click Create.
- Copy the generated token immediately and store it securely.
Using a Token
Section titled “Using a Token”Include the personal access token in the Authorization header of your API requests:
Authorization: Bearer <your-token>The token authenticates as the user who created it, with the same permissions and role access.
Managing Tokens
Section titled “Managing Tokens”Viewing Your Tokens
Section titled “Viewing Your Tokens”The token management page lists all your active tokens with:
- Token name
- Creation date
- Expiration date (if set)
- Last used date
Revoking a Token
Section titled “Revoking a Token”If a token is compromised or no longer needed:
- Navigate to Settings > Personal Access Tokens.
- Find the token you want to revoke.
- Click Revoke (or Delete).
- Confirm the action.
Revoked tokens are immediately invalidated. Any API call using the revoked token will be rejected.
Token Permissions
Section titled “Token Permissions”A personal access token inherits all the permissions of the user who created it at the time of each API call. This means:
- If your roles change (added or removed), the token’s effective permissions change accordingly.
- If your account is deactivated, the token stops working.
- The token cannot access more than you can access through the UI.
Security Best Practices
Section titled “Security Best Practices”- Use descriptive names — name each token after its purpose so you know which to revoke if needed.
- Set expiration dates — avoid indefinite tokens. Set expiration dates appropriate for the use case.
- One token per use case — create separate tokens for different tools or scripts. This allows you to revoke access for one tool without affecting others.
- Never commit tokens — do not store tokens in source code, configuration files checked into version control, or documentation.
- Rotate periodically — regenerate tokens on a regular schedule, especially those with broad permissions.
- Revoke unused tokens — regularly review your tokens and revoke any that are no longer in use.
- Use environment variables — store tokens in environment variables or secret management tools, not in plain text files.