Share this page
Manage access tokens
This topic describes how to create and manage access tokens.
Overview
Access tokens provide secure, role-based access to REST endpoints by non-browser REST clients. You can manage access tokens through the Connect user interface or a command-line interface (CLI). You can use the access tokens for authentication or with a REST client for automation and integrations.
The following guidelines apply:
-
Only site administrators can manage access tokens.
-
Tokens inherit the permissions of their assigned role. For details, see Security roles.
-
Token expiration dates follow the access.token.lifetime global property, with a default value of 180 days.
Manage tokens through the user interface
This section describes how to create tokens via the Connect user interface.
In the main dashboard, navigate to the Access Tokens tab.
-
To define a new token, enter a name for the access token, select a role, and click Create. The raw token value is only displayed once. Copy and store it securely. The name and role of an access token cannot be changed after creation.
-
To generate and display a token value, click the Rotate button in the row of the token.
-
To remove an access token, click the Delete button.
Note: The raw token value is saved in the file specified by the -accessTokenFilePath parameter.
Managing Access Tokens via CLI
You can also manage access tokens using the CLI tool located in the product's Utilities folder.
The following operations are supported:
| Action | Syntax |
|---|---|
| View tokens |
mfcMaintenance.bat (or .sh) -showAccessTokens |
| Create a token and write the value to a file |
mfcMaintenance.bat (or .sh) -createAccessToken -accessTokenName <name> -accessTokenRole <role> -accessTokenFilePath <path> |
| Rotate a token and write the new value to a file |
mfcMaintenance.bat (or .sh) -rotateAccessToken <token-id> -accessTokenFilePath <path> |
| Delete a token |
mfcMaintenance.bat (or .sh) -deleteAccessToken <token-id> |
Use tokens with a REST client
To authenticate REST API calls with an access token, use the -t <token-value> parameter with mfcFullRestClient.jar. This can be used as an alternative to username/password authentication (-c parameter). For details, see Maintenance scripts..
