# API Tokens

A CloudTruth API Token can be used with the [CloudTruth CLI](https://docs.cloudtruth.com/configuration-management/cli-and-api/cloudtruth-cli) and for authorization directly with the REST API. When you create an API Token, we create a Service Account automatically - this is a non-interactive User, but for purposes of access control it behaves just like a regular User. All of the actions performed with the API Token are entered into the Audit Log using this Service Account.

## Creating a Service Account and generating a token:

Only Contributor and higher roles can create Service Accounts and generate tokens. Service account role selection is based on the role of the user creating the service account, i.e. Contributor can only create a Service Account with Contributor or a lower privilege role. See [Role Permissions](https://docs.cloudtruth.com/org-management/user-directory#role-permissions) for more details.

1. From the left-hand navigation locate `Admin` -> `API Tokens`:

<figure><img src="https://2952342643-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MGjN2Xg1mE8iTvg49dw%2Fuploads%2FQ8cOCSBGS6lGE1mux3Z7%2Fimage.png?alt=media&#x26;token=7efd5883-15a9-4998-aefa-144e64c269fe" alt="" width="563"><figcaption></figcaption></figure>

2. Click `+ Create Token`​ to open the `CREATE NEW API TOKEN` modal:

<figure><img src="https://2952342643-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MGjN2Xg1mE8iTvg49dw%2Fuploads%2FwnXix652PaQTKHaDNzze%2Fcreate-token.png?alt=media&#x26;token=644754b3-8a66-4efd-8ade-904e4fb18a5d" alt="" width="465"><figcaption></figcaption></figure>

* TOKEN NAME - Typically the name of the service the Service Account's token will be used for
* DESCRIPTION - Optionally, describe the token's usage
* OWNER - Typically the User who created the Service Account or is actively using the token in their environment. Used mainly for auditing purposes. Admins and Owners can view and manage all tokens regardless of ownership.
* TOKEN PERMISSIONS - Set the Role the Service Account will have across the organization

{% hint style="info" %}
Service Account role assignments are organization-wide and treated the same as a [User Account](https://docs.cloudtruth.com/org-management/access-control/user-directory) following the defined [organization role permissions](https://docs.cloudtruth.com/org-management/user-directory#role-permissions).
{% endhint %}

3. Click `Generate Token` to create the new Service Account and generate the ACCESS TOKEN. The Service Account along with the exposed and copyable token are now in the tokens list:

<figure><img src="https://2952342643-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MGjN2Xg1mE8iTvg49dw%2Fuploads%2F81ChnKGoIp9oomUcG6Tl%2Fimage.png?alt=media&#x26;token=f25ce283-bfb7-4f4d-ab84-de2a3d7cb0d7" alt=""><figcaption></figcaption></figure>

{% hint style="warning" %}
The ability to copy the new token string is only available immediately after creating or generating a new token for the Service Account. Once the page has been navigated away from or refreshed the token will no longer visible or obtainable.&#x20;
{% endhint %}

## Managing Service Accounts (API Tokens)

Service Accounts, for all intents and purposes, are treated the same as User Accounts without the ability to log in interactively. We provide easy mechanisms to update the Service Account's role, regenerate a token, or delete the Service Account. These options are found in the selection menu <img src="https://2952342643-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MGjN2Xg1mE8iTvg49dw%2Fuploads%2FMHWzMUiHy4leSl5cqATM%2Fimage.png?alt=media&#x26;token=c7b0a5f5-8c06-4c30-9ad6-e13fd9673477" alt="" data-size="line"> to the right of the token:

<figure><img src="https://2952342643-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MGjN2Xg1mE8iTvg49dw%2Fuploads%2FkmBAX4ZC3X4nWlagigrW%2Fimage.png?alt=media&#x26;token=6499617a-4e5d-4e18-8b75-8518ece388c4" alt=""><figcaption></figcaption></figure>

### Manage API Token

1. Select `Manage API Token` from the menu to open the `EDIT API TOKEN` modal:

<figure><img src="https://2952342643-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MGjN2Xg1mE8iTvg49dw%2Fuploads%2FEsnv5HVqnwscYjvOkkis%2Fimage.png?alt=media&#x26;token=7a548e20-66ed-4733-9722-d7913377f517" alt="" width="467"><figcaption></figcaption></figure>

2. Here you can modify the Description, change Owner, and modify the Role.
3. Click `Update` to save the changes

### Regenerate API Token

1. Select `Regenerate API Token` from the menu to open the `REGENERATE TOKEN` modal:

<figure><img src="https://2952342643-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MGjN2Xg1mE8iTvg49dw%2Fuploads%2FxYIMuEYabB3q6j98t0zo%2Fimage.png?alt=media&#x26;token=10fdc7a3-823c-451e-9d15-23394ba695dd" alt=""><figcaption></figcaption></figure>

* Here we have two options:
  * Regenerate and immediately expire the previous token
  * Regenerate and set an expiration date and time for the previous token to expire

#### Regenerate and expire immediately

Clicking `Regenerate` will close the modal and display the new token as we did during Service Account creation.

#### Regenerate and expire in the future

If expiring the token at a later date and time is desired, as in cases where updating critical processes to use the new token may take some time, we can leave the previous token active by checking the box and entering a date and time:

<figure><img src="https://2952342643-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MGjN2Xg1mE8iTvg49dw%2Fuploads%2FQ9cZk6Cmjs3JCVU5yaLz%2Fimage.png?alt=media&#x26;token=b77083ef-2898-4abc-8879-e35cf21155ad" alt=""><figcaption></figcaption></figure>

2. After deciding which option is best, click the `Regenerate` button to create a new token for the service account. The token string will be displayed as before during Service Account creation.

### Deleting a Service Account

1. Selecting \`Delete API Token from the menu will prompt for confirmation:

<figure><img src="https://2952342643-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MGjN2Xg1mE8iTvg49dw%2Fuploads%2FEcWfvIXrJIBfrHLDSHKX%2Fimage.png?alt=media&#x26;token=57b42d33-234b-4fd8-8fde-ab077aea7673" alt="" width="490"><figcaption></figcaption></figure>

2. Click `Yes, delete` to delete the Service Account along with any associated token(s)

{% hint style="danger" %}
This will immediately prevent access to CloudTruth via the Service Account's associated token(s) and is irreversible! Take care when deleting Service Accounts and make their tokens are no longer in use.
{% endhint %}