Skip to main content

Create an API Token

An API token gives you programmatic access to <das-id>

You can create a token using the GUI or CLI.


If DAS Authz V2 (Fine-Grained RBAC) is enabled for your tenant, creating a token is no longer the complete workflow (regardless of path regular expression). API tokens must also have explicit permissions configured, otherwise they will have no entitlements. For more information, see API Token Permissions.

Using the GUI

  1. In the left-hand navigation panel, under WORKSPACE, click on your company’s WORKSPACE.
  2. Click Access Control >> API Tokens >> Add API Token.
  3. Enter the form with the following details.
    • Pathname (required): A unique, hierarchical name. For example, test/retail.
    • Description: An optional english documentation string.
    • Allowed API paths (required): A list of regular expressions dictating the paths through the API. This provides the following information about authorized tokens.
      • .* is authorized for all paths;
      • ^/data/foo is authorized for all paths starting with /data/foo.
  4. Now, click the Add API token button to add a new API token.

Using the CLI

To create a token with Pathname alice/test, run the following command.

styra create token alice/test

You can control the authorized paths with flags. To learn more about creating a token, run the following command.

styra create token --help

Add API Tokens and Add Token Permissions to the Workspace

In the previous DAS, when a user creates an API Token, by default, the token is given the same permissions as the user. Since a DAS user must be a WorkspaceAdministrator to create an API Token then all API Tokens are WorkspaceAdministrator with full control of the Workspace.


Creating a token (even with path regular expression) is not the completed workflow. API tokens must have rolebindings configured else they have no entitlements/permissions.

The new DAS Authorization model remedies this by no longer granting an API Token permissions to any workspace, system, or stack by default. Instead, the following rules apply:

  • Only a WorkspaceAdministrator must explicitly add Workspace permissions for an API Token.

  • A WorkspaceAdministrator, SystemOwner, or StackOwners must explicitly add system or stack permissions for an API Token.

To add an API Token, a user must have WorkspaceAdministrator role permissions on the Workspace level as follows:

In this example, Ruchita is a WorkspaceAdministrator who wants to add the following two tokens:

  • ruchita_wksp_API_access - Ruchita can use this token with the API to automate creating systems or stacks in the Workspace.

  • dev3_sys_API_access - Ruchita creates this token so the group dev_team3 can use this token with the API to automate specific updates to a system or stack they own: dev_system3.

Ruchita adds the two tokens to the Workspace as follows:

  1. In the DAS UI, click WORKSPACE >> hooli >> Access Control >> API Tokens.

  2. Clicks +Add API token and create the ruchita_wksp_API_access token.

  3. Click +Add API token and create the dev3_sys_API_access token.

In this example, Ruchita wants to use her token to create systems or stacks, so she must make the token a WorkspaceAdministrator on the Workspace level.

Ruchita adds the API token permissions at the Workspace level by doing the following:

  1. In the DAS UI, click WORKSPACE >> hooli >> Access Control >> Permissions.

  2. In the Permissions pane, click the (+) button and select Add API token permissions… button from the menu to add permissions for your API Token to the Workspace.

  3. In the hooli > Add API token permissions dialog, Ruchita does the following:

    • API tokens (required): Select or enter ruchita_wksp_API_access.

    • Roles (required): Select or enter the role WorkspaceAdministrator.

    • Click the Add API token permissions to Workspace button.

Now, the ruchita_wksp_API_access token WorkspaceAdministrator permissions for system3 is added. Ruchita can use the ruchita_wksp_API_access token with the API to create systems or stacks.