API Token access permissions


I am a little confused with how to restrict the access permissions of API tokens. For clarity I was hoping to be able to restrict specific tokens to apps or resources ideally matching the access permissions of the user that created them.

This would seem to be supported as the create token dialog states -

Personal access tokens carry the access permissions of the user who created the token. We recommend each user create their own.

However, only users within the admin group can create tokens and, by definition, admins have full access to all resources and apps. This seems to make a nonsense of the statement (above) shown on the create token dialog.

What am I missing?

thanks in advance


Hey @Bernie_Janes! Thanks for surfacing this, the wording is a bit confusing there. Access for the tokens is only limited by the scope that's defined when they are created. That means that, right now, API access won't have granular permissions at the resource level.

I'm curious to hear more about your use case here :thinking: how are you thinking to implement the API?