logo
Your accountAPI tokens
Your account

API tokens

Create and revoke personal API tokens for the SlugBase REST API, and authenticate with Bearer tokens.

What this is for

Personal API tokens let scripts, CLIs, or other tools call the SlugBase REST API as you, using an Authorization header instead of a browser session. You create and revoke them from the Profile page under Developer / API Access.

Before you start

  • You must be signed in.
  • Treat tokens like passwords: anyone with a valid token can act as your user within the API’s permissions.

The in-app warning states: API tokens grant full access to your account. Store them securely and never share them.

Open API tokens on Profile

Open Profile

From the top bar user menu, choose Profile.

Find Developer / API Access

Scroll to the card titled Developer / API Access (with an Advanced badge). The description is Create and manage personal API tokens for REST API authentication.

Optional: use View API documentation in that section to open the published API reference (hosted docs; path depends on your edition).

Create a token

Start creation

Select Create token.

Name the token

Enter a Token name (for example the placeholder style e.g. CLI, CI/CD). Names are required and help you tell tokens apart later.

Create and copy

Confirm creation. The app shows Token created and warns: This token will not be shown again. Copy it now. Use Copy token to copy the secret, then store it in a safe place (password manager, secret store, or CI secrets)—you cannot retrieve the raw value again from the UI.

New tokens use the sb_ prefix (SlugBase API token format).

List and revoke tokens

Under Your tokens, each row shows the token name, a masked secret (sb_ followed by asterisks), Created and Last used timestamps (Never used if applicable), and Revoke.

Revoke a token

Select Revoke for that token. Confirm when prompted (Are you sure you want to revoke this token? It will stop working immediately.). Revoked tokens stop working right away.

Use a token in API requests

Send the token in the Authorization header as a Bearer token:

Authorization: Bearer sb_your_token_here

The API accepts either a normal session (browser cookie after login) or this Bearer form for API tokens, as described in the self-hosted OpenAPI overview.

Point your HTTP client at your instance’s API base URL (typically the /api prefix on the same host you use for the app, depending on how you deployed SlugBase).

Limits and behavior

TopicBehavior
How many tokensUp to 10 active tokens per user. If you hit the limit, revoke one before creating another. The API returns an error explaining this.
Creation rateIn production, token creation is rate-limited (abuse protection). If you see a “too many attempts” style message, wait and try again later.
StorageThe server stores only a hash of the token; the full secret is shown once at creation.

Profile and preferences

Where Developer / API Access lives in the app.

Delete account

Deleting your account removes your data; revoke tokens first if others might still use them.

Was this page helpful?

Last updated 3 days ago

Built with Documentation.AI