logo
Your accountAPI tokens

API tokens

Create and revoke personal API tokens for the SlugBase REST API, and authenticate with Bearer tokens.

What this is for

Personal API tokens let you access the SlugBase API from scripts, CLI tools, or other integrations — without needing to log in through the browser each time. You create and revoke them from Profile → Developer / API Access.

Before you start

  • You must be signed in.
  • Treat tokens like passwords: anyone who has your token can use the API as you.

The in-app warning states: API tokens grant full access to your account. Store them securely and never share them.

Open API tokens on Profile

Open Profile

From the top bar user menu, choose Profile.

Find Developer / API Access

Scroll to the card titled Developer / API Access (with an Advanced badge). The description is Create and manage personal API tokens for REST API authentication.

Optional: use View API documentation in that section to open the published API reference (hosted docs; path depends on your edition).

Create a token

Start creation

Select Create token.

Name the token

Enter a Token name (for example the placeholder style e.g. CLI, CI/CD). Names are required and help you tell tokens apart later.

Create and copy

Confirm creation. The app shows Token created and warns: This token will not be shown again. Copy it now. Use Copy token to copy the secret, then store it in a safe place (password manager, secret store, or CI secrets)—you cannot retrieve the raw value again from the UI.

New tokens start with sb_.

List and revoke tokens

Under Your tokens, each row shows the token name, a masked secret (sb_ followed by asterisks), Created and Last used timestamps (Never used if applicable), and Revoke.

Revoke a token

Select Revoke for that token. Confirm when prompted (Are you sure you want to revoke this token? It will stop working immediately.). Revoked tokens stop working right away.

Use a token in API requests

Add the token to every request as a Bearer token in the Authorization header:

Authorization: Bearer sb_your_token_here

The API lives at the /api path on the same host as the app — for example https://bookmarks.example.com/api. Your self-hosted instance also serves the full API reference at /api-docs.

Limits and behavior

TopicBehavior
How many tokensUp to 10 active tokens per user. If you hit the limit, revoke one before creating another. The API returns an error explaining this.
Creation rateIn production, token creation is rate-limited (abuse protection). If you see a “too many attempts” style message, wait and try again later.
StorageThe server stores only a hash of the token; the full secret is shown once at creation.

Profile and preferences

Where Developer / API Access lives in the app.

Delete account

Deleting your account removes your data; revoke tokens first if others might still use them.

Was this page helpful?

Last updated 1 week ago

Built with Documentation.AI