Access Tokens Overview
3 min read
Access tokens let external systems, automation jobs, and integrations authenticate Hawzu API requests without using a person’s login credentials.
Access tokens are for API access only. They do not provide access to the Hawzu web experience.
Where Access Tokens Live
Section titled “Where Access Tokens Live”Open access tokens from the workspace Security & Access area or the Access Tokens page.
The Access Tokens page shows the tokens available in the current workspace. The page helps workspace administrators review token ownership, token scope, expiry, and lifecycle state.
Workspace And Project Tokens
Section titled “Workspace And Project Tokens”Each token has one access type.
Workspace Tokens
Section titled “Workspace Tokens”Workspace tokens use a workspace role and can access workspace-level API resources according to that role.
Use workspace tokens when an integration needs workspace-level information or must work across the workspace.
Project Tokens
Section titled “Project Tokens”Project tokens are assigned to one or more projects. Each project row has its own project role.
Use project tokens when automation should be limited to specific projects.
Project access is evaluated per project. A token with access to two projects can have different permissions in each project.
Access Tokens Page
Section titled “Access Tokens Page”The table includes:
- Label: the token name.
- Access Type: Workspace or Project.
- Created by: the user who created the token.
- Created: when the token was created.
- Expires: the expiry date, or Not specified when no expiry is set.
- Actions: edit, enable or disable, and revoke actions.
The label column is always visible. Other columns can be shown or hidden with the column visibility control.
Search, Filters, And Sorting
Section titled “Search, Filters, And Sorting”Use search to find tokens by label, creator, or token identifier.
Available filters include:
- Access Type: Workspace or Project.
- Expiry: filter by expiry date.
- Created Date: filter by creation date.
- Created By: filter by creator.
- Status: Enabled or Disabled.
Sorting is available for label, access type, created by, created date, expiry date, and status.
Token Status
Section titled “Token Status”Tokens can be enabled or disabled.
Enabled
Section titled “Enabled”An enabled token can authenticate API requests, as long as it has not expired and its assigned roles allow the requested action.
Disabled
Section titled “Disabled”A disabled token cannot authenticate API requests. Disable a token when you want to pause access without permanently removing it.
Disabled tokens can be enabled again by users with the required access.
Expiry
Section titled “Expiry”Tokens can have an expiry date or no expiry date.
Expiry options are selected when a token is created or edited. Tokens with no expiry are allowed, but Hawzu shows a security warning because long-lived tokens carry more risk.
When a token expires, systems using that token should stop authenticating successfully.
Lifecycle Actions
Section titled “Lifecycle Actions”Users with the right access can:
- Create tokens.
- Review token details.
- Edit token name, role assignments, project access, and expiry.
- Disable Token: temporarily revokes access for any processes using the token. A Disable Access Token confirmation explains that CI/CD pipelines, automation scripts, or integrations using the token will fail to authenticate until it is re-enabled.
- Enable Token: reactivates a disabled token. An Enable Access Token confirmation explains that tools using the token regain access and resume normal operation.
- Revoke Token: permanently removes the token. A Confirm Revocation dialog warns that the action cannot be undone and that any pipelines, scripts, or integrations using the token will stop working immediately.
Revoking a token removes access immediately and cannot be undone. Create a replacement token before revoking a token used by pipelines, scripts, or integrations.
Permissions
Section titled “Permissions”Access token actions depend on workspace permissions.
- Users need create access to create tokens.
- Users need edit access to update, enable, or disable tokens.
- Users need revoke access to permanently revoke tokens.
The roles available in token role pickers are limited to roles that can be assigned to access tokens.
Next Steps
Section titled “Next Steps”- Create a token in Create Token
- Review and update tokens in Manage Tokens
- Authenticate requests in Using Tokens
- Protect tokens with Security Best Practices