Skip to content
Hawzu Docs

Access Token Security Best Practices

2 min read

Access tokens can authenticate Hawzu API requests without interactive login. Treat them like sensitive credentials.

Use Least Privilege

Section titled “Use Least Privilege”

Create tokens with only the access they need.

  • Prefer project tokens when automation only needs project access.
  • Assign the lowest role that supports the automation.
  • Avoid assigning broad workspace access unless the integration needs it.
  • Use separate tokens for separate systems.

Use Clear Names

Section titled “Use Clear Names”

Use names that make ownership and purpose obvious.

Good examples:

  • ci-regression-runner
  • nightly-test-sync
  • release-report-job

Avoid vague names like token, new token, or automation.

Set Expiry Dates

Section titled “Set Expiry Dates”

Prefer expiring tokens.

Shorter expiry windows reduce risk if a token is exposed. Use Never Expires only when the system using the token cannot support regular rotation.

When a token must have no expiry, keep it carefully and set a regular review reminder outside Hawzu.

Keep Tokens Securely

Section titled “Keep Tokens Securely”

Keep tokens only in secure locations, such as:

  • CI/CD secret locations.
  • Cloud secret managers.
  • Environment variables managed by deployment tooling.

Do not keep tokens in:

  • Source code.
  • Git repositories.
  • Shared documents.
  • Screenshots.
  • Logs or error output.

Disable Before Revoking When Needed

Section titled “Disable Before Revoking When Needed”

Use Disable token when you want to pause access and test impact.

Disabled tokens cannot authenticate requests, but they can be enabled again later.

Use Revoke Token when a token is no longer needed, has been replaced, or may have been exposed.

Revoking is permanent. Any pipeline, script, or integration using that token stops working immediately.

Rotate Tokens Safely

Section titled “Rotate Tokens Safely”

To rotate a token:

  1. Create a replacement token with the required access.
  2. Update the external system to use the new token.
  3. Confirm the system works.
  4. Disable the old token if you want a short observation period.
  5. Revoke the old token when it is no longer needed.

Review Tokens Regularly

Section titled “Review Tokens Regularly”

Review tokens on a regular schedule.

Look for:

  • Tokens with unclear names.
  • Tokens created by users who no longer own the integration.
  • Tokens without expiry dates.
  • Tokens with broader workspace or project access than needed.
  • Disabled tokens that can be revoked.

Next Steps

Section titled “Next Steps”