Skip to main content

Mint an API token for a service account

POST 

/organizations/:organization_id/users/:user_id/tokens

Issues an oat_… API token for a client-managed service account. The secret token value is returned exactly once, in this response (data.token) — it cannot be retrieved later.

The scope selects the token's ability set:

  • api-key (default when scope is omitted) — read-only abilities across all resources (*:read). NOTE: this scope cannot execute workflows/agents, because it lacks workflow:write/job:write.
  • api-secret — full read + write abilities across all resources (including workflow:write and job:write). Use api-secret to mint a token that can run agents/workflows.

Only api-key and api-secret are accepted on this endpoint; the platform-wide unrestricted (*) scope is rejected with an invalid-scope error. The name is stored prefixed (API_KEY: \{name\}). expiresIn (milliseconds) is optional; tokens never expire when omitted.

Policy: the target user MUST be client-managed (minting for a human user is forbidden → 401). The caller must hold user:write, the organization must be enterprise, and the caller must have at least the org-admin role.

Request

Responses

The minted token. data.token (the oat_… secret) is present only in this response.