Personal Access Tokens

Learn about Personal Access Tokens and how they enable individual users to authenticate and consume RudderStack APIs.

Available Plans

starter
growth
enterprise

3 minute read

Use Personal Access Tokens for development or testing purposes only.
For production use cases, RudderStack recommends using the following over a Personal Access Token:
Workspace-level Service Access Tokens for working with workspace-level resources and APIs
Organization-level Service Access Tokens for working with SSO SCIM and the Audit Log API.

This guide explains the concept of Personal Access Tokens in RudderStack’s Access Management system. It also describes the steps to generate a Personal Access Token and all the operations associated with it.

Overview

To consume the public RudderStack APIs, you need a Personal Access Token (PAT). This access token is associated with an individual’s RudderStack account.

Permissions

You can create and use Personal Access Tokens with the following scopes:

Token scope	Description
Read-Only	Access tokens will have read-only permissions.
Read-Write	Access tokens will have both read-only and read-write permissions of the user. If a user having read-only permissions creates a Read-Write token, then the token will still have read-only permissions.
Admin	Creation of new Personal Access Tokens with Admin scope is deprecated. However, any existing Admin PATs will continue to work as before, even after migration.

Personal Access Tokens vs. Service Access Tokens

Personal Access Tokens (PAT)	Service Access Tokens (SAT)
Tied to a specific user within a workspace.	Not tied to an individual user.
Used for individual tasks and testing.	Used for centralized, shared access and production use cases.
Any processes dependent on these tokens will break if the user is removed from the organization or a breaking change is made to their permissions.	Exist at an organization or workspace level, ensuring continuity in essential workflows and pipelines using these tokens.

Generate Personal Access Token

Log in to your RudderStack dashboard.
Go to Settings > Your Profile and scroll down to Personal Access Tokens. Then, click Generate new token:

New Personal Access Token in RudderStack dashboard

Enter the Token name, select the Workspace and the Scope from the respective dropdowns:

Personal Access Token name and scope

Click Generate.
Note the Personal Access Token value.

Make sure to secure the generated token — the token value is not visible again once you close this window.

Personal Access Token details

Delete Personal Access Token

Go to Settings > Your Profile and scroll down to Personal Access Tokens.
Click the Delete option next to the token and confirm by clicking Yes, delete.

Migrate old Personal Access Tokens

After migration, Personal Access Tokens:

Inherit user permissions: Personal Access Tokens continue to inherit the permissions of the user who created them. Since user permissions are migrated to their Member Workspace Policy, Personal Access Tokens automatically reflect those permissions.
Maintain scope behavior: Personal Access Tokens created with Read-Only or Read-Write scopes continue to work as before, with their effective permissions determined by the user’s Individual Workspace Policy.

See the Migration Scenarios guide for detailed examples of how Personal Access Tokens are migrated to the new Access Management system.

This site uses cookies to improve your experience. If you want to learn more about cookies and why we use them, visit our cookie policy. We'll assume you're ok with this, but you can opt-out if you wish