Access Token Security Best Practices Guide
When managing access tokens:
- Never Share Tokens: Keep tokens secret and never commit them to version control
- Use Environment Variables: Store tokens in secure environment variables
- Set Expiry Dates: Use expiration dates for tokens, especially in production
- Rotate Regularly: Periodically create new tokens and revoke old ones
- Monitor Usage: Regularly review token usage and disable unused tokens
- Principle of Least Privilege: Assign minimum required scope to each token
- Disable Instead of Delete: Disable tokens temporarily before deleting them
- Document Purpose: Use descriptive labels to track token usage
- Separate Tokens: Use different tokens for different services/environments
- Revoke Compromised Tokens: Immediately delete tokens if they’re exposed
Use Cases
CI/CD Integration
- Create tokens for CI/CD pipelines
- Use in automated test execution
- Set appropriate expiry dates
- Rotate tokens regularly
Third-Party Integrations
- Generate tokens for integration services (Zapier, Jenkins, etc.)
- Assign appropriate scopes for integration needs
- Monitor token usage
- Disable unused integrations
Automation Scripts
- Create tokens for scheduled scripts
- Use tokens in automation workflows
- Set expiry dates for temporary scripts
- Document token usage
API Development
- Generate tokens for API testing
- Use tokens in API clients
- Assign scopes based on testing needs
- Clean up test tokens regularly
Next Steps
- Learn about Roles to understand token scopes and permissions
- Explore API Documentation for API endpoint details
- Read about Workspace Settings for security configuration
Was this page helpful?