Skip to main content

Manage API Tokens

The Manage API Tokens page lets administrators create, rotate, and revoke dedicated API tokens for integrations.

Updated over a week ago

Overview

The API token management area is available to platform administrators under General settings → Manage API Tokens.​
It provides a secure, auditable way to issue application/service credentials that authenticate against Full Fabric’s backend, replacing ad‑hoc or user-based tokens.​

Concepts

  • API token entity
    Each token is a dedicated entity in the platform, representing an app or integration rather than an end user.​
    Tokens are stored hashed and cannot be retrieved in plaintext after creation, only validated during API calls.​

  • Token metadata
    A token stores descriptive fields such as name/description, created at, created by, and optionally the system or app it is issued for.​
    Future iterations will add scopes/permissions and app-based grouping without changing how existing tokens are displayed.​

  • API versions
    All new tokens are designed to be used with versioned endpoints (for example, /apis/v1/resource/apis/v1/resource).​
    This ensures non-breaking evolution of APIs while keeping token behaviour consistent across versions.​

Accessing Manage API Tokens

  • Go to Settings from the main navigation.

  • Open General settings, then select Manage API Tokens in the side menu.

  • Only administrators with the appropriate permissions can view and manage tokens for a tenant.​

The page displays a list of existing API tokens with high-level metadata but never shows the secret token value.​

Creating a new API token

When creating a new token, an administrator defines the identity and configuration of that token.

  1. In General settings → Manage API Tokens, click Create token.

  2. Fill in the token details:

    • Name/description: Human-readable label describing the integration or system that will use this token (for example, “Salesforce connector – production”).​

    • Issued for: Optional reference to the internal app, service, or integration this token represents.

    • Created by and Created at are automatically recorded in the audit trail.​

    • Expiration: Choose a lifespan (for example, 30, 90, or 365 days) or set a custom expiry date according to internal security policies.​

  3. Confirm to generate the token.

  4. Copy the token value immediately and store it securely (for example, in a secrets manager). It is only displayed once, on this screen.​

After this step, the token secret is no longer retrievable; only its metadata and status remain visible in the UI.​

Using an API token

API tokens authenticate requests to Full Fabric’s versioned endpoints.

  • HTTP header
    Include the token in the Authorization header of each request using the Bearer scheme:
    Authorization: Bearer <your_api_token>.​

  • API versions
    Use the token with the appropriate versioned route, for example:

    • /apis/v1/applications/apis/v1/applications

    • /apis/v1/contacts/apis/v1/contacts
      Future versions (such as /apis/v2/.../apis/v2/...) will follow the same pattern.​

Tokens inherit the permissions and constraints configured for their entity, and later will support scoped access per token for more granular control.​

Viewing token details

The Manage API Tokens list shows a high-level view for each token:

  • Name/description: The label provided at creation time.

  • Status: Active or revoked.

  • Created at / Created by: Timestamp and administrator identity for the original creation.​

  • Expires at: When the token will automatically become invalid, if an expiry was set.​

  • Last used (when available): Timestamp of the last successful API call authenticated with this token.​

Administrators can open a token’s detail view to see its metadata and audit history, without exposing the token secret.​

Suspending a token

Suspension removes temporarily all access to that token.

  1. Open General settings → Manage API Tokens and select the token to suspend.

  2. Click Suspend.

    1. From that point, any request using the token will be rejected, and the token state changes to Suspended in the UI.​

Revoking a token

Revocation immediately blocks a token from further use.

  • To revoke:

    1. Open the token in Manage API Tokens.

    2. Select a Suspended token.

    3. Click Revoke token and confirm.

      1. From that point, any request using the token will be rejected, and the token state changes to Revoked in the UI.​

Audit logging and security

  • Audit logs
    The platform logs key events: usage metadata such as last-used timestamps.​
    Logs can be used to investigate incidents, support compliance requirements, and monitor integration health.

  • Token storage and transmission
    Tokens are generated with strong entropy and stored in a non-reversible form; only hashes are persisted.​
    All access to the Manage API Tokens page and usage of API tokens requires HTTPS to prevent interception of secrets in transit.​

Best practices

  • Use short-lived tokens wherever possible and rotate regularly.

  • Issue separate tokens per integration or environment (for example, staging vs production).

  • Restrict access to the Manage API Tokens section to a minimal set of administrators.

  • Plan to adopt scopes/permissions per token once available for fine-grained access control.​

Related Articles
How to create a form – Part 2 – Publishing the form and tracking performance
Did this answer your question?