---
title: "Managing API Tokens"
description: "API tokens let you access the user management of the Lucanet CFO Solution Platform programmatically through the Platform API, without an interactive login. Each token is granted specific permissions and can be revoked at any time."
source_url: https://support.lucanet.com/en/documentation/administration/user-management/api-token-management
language: en
last_updated: 2026-06-19
---
# Managing API Tokens

## Overview

An **API token** is an alternative authentication method for accessing the Lucanet CFO Solution Platform programmatically through the Platform API, without an interactive login session. API tokens are typically used to automate user and access management, for example, to connect your central identity system and create, update, or deactivate users automatically.

Each API token has the following characteristics:

- It is **scoped**: each token is granted specific permissions that restrict which endpoints it can access.
- It is tied to a specific **user** and **tenant**. Any action performed with a token is attributed to the user who created it and is recorded in the [Change Log](https://support.lucanet.com/en/documentation/administration/user-management/users/change-log.md).
- It can be given an **expiration date** and can be **revoked** at any time.

{% warning-box %}
Your API tokens need to be treated as securely as any other password. Anyone who has a token can act on your behalf within the scope granted to it.
{% /warning-box %}

## Accessing API Token Management

To open the **API token management** workspace:

{% stepper %}
{% stepper-step %}
Click **Administration** in the main menu of the CFO Solution Platform.
{% /stepper-step %}
{% stepper-step %}
Open the **User management** area and click **API token management**.
{% /stepper-step %}
{% /stepper %}

The workspace has two tabs:

| Tab | Content |
|---|---|
| **Tokens** | The list of API tokens that currently exist for your tenant, where you create and revoke tokens |
| **API documentation** | The reference documentation for the Platform API: authentication, available scopes, endpoints, and example requests and responses |

## Viewing Your API Tokens

The **Tokens** tab lists all API tokens for your tenant. The **API token management** workspace is displayed as follows, for example:

The 'API token management' workspace

The following information is available for each token:

| Column | Description |
|---|---|
| Token name | The name given to the token when it was created |
| Created | The date and time the token was created |
| Expires | The date and time the token expires. A dash (—) indicates that the token has no expiration date. |
| Token type | The permissions (scopes) granted to the token: **Read**, **Write**, and/or **Read and write** |
| Actions | The option to revoke an active token. Tokens that can no longer be used are displayed as **Expired** or **Revoked** instead. |

## Creating an API Token

{% info-box %}
You can only create a maximum of 25 API tokens at a time. New tokens may take up to a minute to work after they have been created.
{% /info-box %}

To create an API token:

{% stepper %}
{% stepper-step %}
On the **Tokens** tab, click **Create API token**. The **Create API Token** dialog is displayed as follows, for example:

'Create API Token' dialog
{% /stepper-step %}
{% stepper-step %}
Enter a **Token name**. The name must contain at least 8 characters.
{% /stepper-step %}
{% stepper-step %}
Optional: Select an **Expiration date**. Tokens without an expiration date are less secure, so we recommend setting one.
{% /stepper-step %}
{% stepper-step %}
Under **Scopes of user management**, select the permissions the token should have. You must select at least one scope.

| Scope | Description |
|---|---|
| **Read** | Read-only access to User Management endpoints. |
| **Write** | Write access to User Management endpoints. |
| **Read and write** | Access to User Management bulk operations. |
{% /stepper-step %}
{% stepper-step %}
Click **Create**.
{% /stepper-step %}
{% stepper-step %}
In the **API Token Created** dialog, click **Copy** to copy the token, and store it in a secure location.

'API Token Created' dialog
{% /stepper-step %}
{% stepper-step %}
Select the check box to confirm that you have copied and securely stored the token, and click **Done**.
{% /stepper-step %}
{% /stepper %}

{% warning-box %}
The token value is displayed only once, immediately after creation. Copy it before you close the dialog. A lost token value cannot be retrieved; in that case, you have to create a new token instead.
{% /warning-box %}

## Revoking an API Token

Revoke a token when it is no longer needed or might be compromised.

{% stepper %}
{% stepper-step %}
On the **Tokens** tab, find the token you want to revoke and click **Revoke** in its row.
{% /stepper-step %}
{% stepper-step %}
In the **Revoke Token** dialog, click **Revoke token** to confirm.
{% /stepper-step %}
{% /stepper %}

{% warning-box %}
Revoking a token cannot be undone. Any integration that uses the token stops working within 60 seconds. The action is recorded in the change log. After revoking, the token is displayed as **Revoked** in the list.
{% /warning-box %}

## API Documentation

Open the **API documentation** tab for the full Platform API reference, where API tokens are referred to as **Personal Access Tokens (PATs)**. It includes:

- **Authentication**: pass the token in the `Authorization` header as a Bearer token, in the form `Authorization: Bearer pat_<tenantId>_<token>`.
- **Available scopes**: `um:read`, `um:write`, and `um:bulk`, which correspond to the **Read**, **Write**, and **Read and write** options in the token dialog. A token can have one or more scopes. A request to an endpoint the token is not scoped for is rejected with **403 Forbidden**.
- **Endpoints**: the available user management operations (read, write, and bulk), with example requests, responses, and error codes.

Because every action performed with a token is attributed to the user who created it, you can trace API-driven changes in the [Change Log](https://support.lucanet.com/en/documentation/administration/user-management/users/change-log.md).
