API Token access permissions

Bernie_Janes · July 27, 2023, 1:21am

Hi

I am a little confused with how to restrict the access permissions of API tokens. For clarity I was hoping to be able to restrict specific tokens to apps or resources ideally matching the access permissions of the user that created them.

This would seem to be supported as the create token dialog states -

Personal access tokens carry the access permissions of the user who created the token. We recommend each user create their own.

However, only users within the admin group can create tokens and, by definition, admins have full access to all resources and apps. This seems to make a nonsense of the statement (above) shown on the create token dialog.

What am I missing?

thanks in advance

bernie

Kabirdas · August 16, 2023, 4:54am

Hey @Bernie_Janes! Thanks for surfacing this, the wording is a bit confusing there. Access for the tokens is only limited by the scope that's defined when they are created. That means that, right now, API access won't have granular permissions at the resource level.

I'm curious to hear more about your use case here how are you thinking to implement the API?