Skip to content

How do I create an API token?

Requires Basic

Open Administration → API Tokens, click “Create token”, give it a name (e.g., “CI Pipeline”), choose the scopes (read, write, or both), and optionally an expiration date. After saving, Notory shows the token value (inv_…) exactly once — copy it to a safe place right away. After that, only the prefix remains visible.

Available on all plans.

  1. Open API Tokens. Administration → API Tokens (“Personal access tokens for the REST API. The value is shown only once.”). The list shows Name, Prefix, Scopes, Created, and Last used.

    The token list shows only metadata — never the secret value.
  2. Create a token. Click “Create token”, give it a descriptive name (e.g., “CI Pipeline”), and choose the scopes: read (read only), write (read + write) — with no selection, full access within your role applies. Optionally set an expiration date.

  3. Copy the value immediately. After creation you’ll see: “New token – copy it now, it will not be shown again:”. Copy the value (inv_…) into your password manager or your pipeline’s secret management.

    The plaintext value appears exactly once — after that, only the prefix remains visible.
  4. Test it. A first call with the new token:

    Terminal window
    curl -H "Authorization: Bearer inv_dein_neuer_token" \
    https://demo.notory.io/api/v1/assets
  • Secure format, hashed storage. Notory generates inv_ plus 32 random, URL-safe bytes. Only the SHA-256 hash is stored — the plaintext no longer exists server-side after the response. That’s why it can never be shown again. For recognition, Notory remembers the first 12 characters as the prefix.
  • Scope semantics. read allows only read methods (GET/HEAD/OPTIONS); write allows changes and includes read access. Without scopes, full access within your role applies (compatibility behavior). A mismatched access attempt ends with 403 (“API token scope does not permit this operation”).
  • Token ≤ user. Every request made with the token runs under your account: role, permissions, and tenant apply unchanged; tenant isolation (RLS) is set per request to the token’s tenant. If your account is deactivated, all your tokens become immediately useless (401).
  • Expiration and usage trail. After expires_at, the API responds with 401 (“Invalid or expired API token”). On every use, Notory updates last_used_at — so you can spot orphaned or misused tokens.