API Tokens
Requires Basic
API tokens are personal access keys for the REST API: scripts, CI pipelines, and
integrations use them to authenticate as you — without a browser login. Every token
starts with the prefix inv_, is bound to your account and your tenant, can be
restricted to read/write scopes, and can optionally expire automatically. The
plaintext value is shown only once — right when it’s created.
In this section
Section titled “In this section”- How do I create an API token? — with scopes, expiration date, and a first curl test
- What should I know about token security? — least privilege, storage, rotation
- How do I revoke a token? — instantly locking out compromised or retired tokens
Prerequisites
Section titled “Prerequisites”API tokens are self-service: every logged-in user manages their own tokens under Administration → API Tokens — regardless of role. A token can never do more than its owner: the account’s role and permissions also apply to the token. Available on all plans.
Related topics
Section titled “Related topics”- API getting started — base URL, authentication, error codes
- Roles & Permissions — what a token can do at most
- Webhooks — the reverse direction: Notory calls your systems