What is your developer-dependent CMS actually costing you? Calculate your costs and get a full report
Personal Access Tokens - Public Beta
Personal Access Tokens (PATs) provide a secure way to authenticate with the Management API without requiring OAuth login flows. They're ideal for automated scripts, CI/CD pipelines, and other programmatic access scenarios. Each PAT is tied to the user who created it and inherits that user's permissions and access levels to all of that users Agility instances.
Current Limitations
At present, Agility does not offer a visual user interface to create and manage Personal Access Tokens.
At present: AgilityCMS offers this functionality as a Beta, intended for developer testing purposes, and for Agility to gather feedback on their design and implementation.
While in Beta, Agility does not support the use of Personal Access Tokens for production deployments, or for any other business critical functionality.
Creating and Managing PATs
Personal Access Tokens are created and managed using the management API which are documented in the "Personal Access Tokens" section of our Management API Swagger documentation found here: https://mgmt.aglty.io/index.html
PAT Usage Rules and Limitations
Token Creation
- Personal Access Tokens can only be created by users authenticated via OAuth.
- A Personal Access Token cannot be used to create additional personal access tokens.
- The token secret is displayed only once during creation and cannot be retrieved afterward.
- Token names and expiration dates remain viewable after creation.
Token Scope and Permissions
- Each token operates on behalf of the user who created it.
- Tokens inherit the same permissions as the creating user.
- Personal Access Tokens do not have separate role-based access controls.
- If the user's permissions change, the token's access changes accordingly.
Restricted Operations
- Personal Access Tokens cannot be used to create or update users.
Token Lifecycle
- Maximum token lifetime is 2 years from creation date.
- Tokens automatically expire after their expiration date.
- Tokens can be manually invalidated by the user.
- Expired or revoked tokens cannot be restored or renewed.
Security Considerations
- Token secrets are sensitive credentials and should be stored securely.
- Use environment variables or secure secret management systems to store PATs.
- Never commit tokens to version control.
- Regularly rotate tokens for enhanced security.
- Revoke unused or unnecessary tokens.
Best Practices
- Create separate tokens for different applications or purposes.
- Use descriptive names that indicate the token's purpose.
- Set appropriate expiration dates based on your use case.
- Monitor token usage and revoke any tokens showing suspicious activity