Mint an API token for a service account
POST/organizations/:organization_id/users/:user_id/tokens
Issues an oat_… API token for a client-managed service account. The secret token value is returned exactly once, in this response (data.token) — it cannot be retrieved later.
The scope selects the token's ability set:
api-key(default whenscopeis omitted) — read-only abilities across all resources (*:read). NOTE: this scope cannot execute workflows/agents, because it lacksworkflow:write/job:write.api-secret— full read + write abilities across all resources (includingworkflow:writeandjob:write). Useapi-secretto mint a token that can run agents/workflows.
Only api-key and api-secret are accepted on this endpoint; the platform-wide unrestricted (*) scope is rejected with an invalid-scope error. The name is stored prefixed (API_KEY: \{name\}). expiresIn (milliseconds) is optional; tokens never expire when omitted.
Policy: the target user MUST be client-managed (minting for a human user is forbidden → 401). The caller must hold user:write, the organization must be enterprise, and the caller must have at least the org-admin role.
Request
Responses
- 200
- 400
- 401
- 404
The minted token. data.token (the oat_… secret) is present only in this response.
Invalid access token scope (only api-key and api-secret are accepted)
Caller lacks permission, or the target is not a client-managed user
Organization or user not found