API Tokens
API tokens are long-lived bearer credentials for the Conduit REST API. Use them in CI/CD pipelines, cron jobs, server-to-server integrations, and scripts where refreshing short-lived JWTs is impractical.
This page covers managing tokens through the web UI. For the API reference, HTTP shape, and a comparison of token vs. JWT auth, see Using the API → Authentication and API Tokens (API reference).
Creating a token
- Open the user menu and go to API tokens (
/app/settings/api-tokens). - Click + New Token.
- Fill in the form:
| Field | Notes |
|---|---|
| Token name | A label only you see (e.g. "GitHub Actions, staging"). |
| Expiry | Pick a duration, or Never. Tokens scoped to a specific use should always have an expiry. |
| Allowed IPs | Optional allowlist. One IP or CIDR per line; IPv4 and IPv6 are both accepted. Leave blank to allow any source IP. |
- Click Create token.
The raw token value is shown once at the top of the list page. Copy it immediately; Conduit never displays it again.
conduit_aB3c...raw-token-shown-once...
If you lose the token, revoke it and create a new one.
Using a token
Send the token in the Authorization header on every API request:
Authorization: Bearer conduit_aB3c...
The same header format works for both API tokens and session JWTs. Conduit tries JWT validation first and falls back to API tokens.
Restricting blast radius
Two restrictions reduce the damage if a token leaks:
- Expiry. Set the shortest practical lifetime. Renew or rotate by issuing a new token before the old one expires.
- Allowed IPs. If your CI runner or server has stable public IPs, list
them. Requests from any other source are rejected with
401. CIDR notation is supported (10.0.0.0/8,2001:db8::/32).
Listing and revoking
The list page shows every active token with its creation date, expiry (or Never expires), and the timestamp of its most recent successful API request (or Never used).
Click Revoke next to a token to invalidate it immediately. Any in-flight requests using a revoked token are rejected on the next call.
Revocation is permanent. A revoked token cannot be reactivated; create a new one if needed.
The Last used column makes it easy to spot tokens that no longer have an active caller. A token that hasn't been used in months is a good candidate for revocation.
Issue one token per integration so revoking a leaked CI secret doesn't take down an unrelated production script. Rotate tokens periodically even when they haven't leaked, especially tokens without an expiry set.
Next steps
- Using the API. Endpoint reference for everything you can do with a token.
- Account Settings. Password, timezone, account deletion.