Skip to main content

Create an API Token

An API token gives you programmatic access to <das-id>

You can create a token using the GUI or CLI.


If DAS Authz V2 (Fine-Grained RBAC) is enabled for your tenant, creating a token is no longer the complete workflow (regardless of path regular expression). API tokens must also have explicit permissions configured, otherwise they will have no entitlements. For more information, see API Token Permissions.

Using the GUI

  1. In the left-hand navigation panel, under WORKSPACE, click on your company’s WORKSPACE.
  2. Click Access Control >> API Tokens >> Add API Token.
  3. Enter the form with the following details.
    • Pathname (required): A unique, hierarchical name. For example, test/retail.
    • Description: An optional english documentation string.
    • Allowed API paths (required): A list of regular expressions dictating the paths through the API. This provides the following information about authorized tokens.
      • .* is authorized for all paths;
      • ^/data/foo is authorized for all paths starting with /data/foo.
  4. Now, click the Add API token button to add a new API token.

Using the CLI

To create a token with Pathname alice/test, run the following command.

styra create token alice/test

You can control the authorized paths with flags. To learn more about creating a token, run the following command.

styra create token --help

Add API Tokens and Add Token Permissions to the Workspace

In previous iterations of Styra DAS, when a user would create an API Token, the token would be given the same permissions as the user by default. Because a DAS user needed to be a WorkspaceAdministrator to create an API Token, all API Tokens created by them were granted the WorkspaceAdministrator role as well. The new Styra DAS Authorization model addresses this limitation by no longer granting an API Token permissions to any workspace, system, or stack by default.


API tokens now require rolebindings in order to have permissions to various parts of the DAS. By default, a token starts without any access.

In the new permission model, the following rules apply:

  • Only a WorkspaceAdministrator can grant an API Token Workspace permissions.

  • Only a WorkspaceAdministrator, SystemOwner, or StackOwners can grant system or stack permissions to an API Token.

An example of creating an API token and granting it appropriate permissions goes as follows:

In this example, Ruchita is a WorkspaceAdministrator who wants to add the following two tokens:

  • ruchita_wksp_API_access - Ruchita can use this token with the API to automate creating systems or stacks in the Workspace.

  • dev3_sys_API_access - Ruchita creates this token so the group dev_team3 can use this token with the API to automate specific updates to a system or stack they own: dev_system3.

Ruchita adds the two tokens to the Workspace as follows:

  1. In the DAS UI, click WORKSPACE >> hooli >> Access Control >> API Tokens.

  2. Clicks +Add API token and create the ruchita_wksp_API_access token.

  3. Click +Add API token and create the dev3_sys_API_access token.

In this example, Ruchita wants to use her token to create systems or stacks, so she must make the token a WorkspaceAdministrator on the Workspace level.

Ruchita adds the API token permissions at the Workspace level by doing the following:

  1. In the DAS UI, click WORKSPACE >> hooli >> Access Control >> Permissions.

  2. In the Permissions pane, click the (+) button and select Add API token permissions… button from the menu to add permissions for your API Token to the Workspace.

  3. In the hooli > Add API token permissions dialog, Ruchita does the following:

    • API tokens (required): Select or enter ruchita_wksp_API_access.

    • Roles (required): Select or enter the role WorkspaceAdministrator.

    • Click the Add API token permissions to Workspace button.

Now, the ruchita_wksp_API_access token WorkspaceAdministrator permissions for system3 is added. Ruchita can use the ruchita_wksp_API_access token with the API to create systems or stacks.