Create personal access token
POST/personal-access-tokens
This creates a personal access token.
expirationDate and userAwareTokenNeverExpires Relationship:
Important: When expirationDate is null or empty (not included in the request body), the token will never expire.
Required Validation: If expirationDate is null or empty, userAwareTokenNeverExpires must be set to true. This is a required validation rule.
The valid values for expirationDate depend on the value provided for userAwareTokenNeverExpires:
- When
userAwareTokenNeverExpiresistrue(or required to betrue):expirationDatecan benullor omitted from the request body. WhenexpirationDateisnullor empty, the token will never expire. This creates a PAT that never expires and serves as an explicit acknowledgment that the user is aware of the security implications of creating a non-expiring token. * WhenuserAwareTokenNeverExpiresisfalseor omitted:expirationDatemust be provided and must be a valid date-time string representing a future date (there is no upper limit).expirationDatecannot benullin this case. In this scenario,userAwareTokenNeverExpirescan be omitted. Validation Rules: * IfexpirationDateisnullor not included in the request body:userAwareTokenNeverExpiresmust be set totrue(required). The token will never expire. * IfexpirationDateis provided and is notnull:userAwareTokenNeverExpirescan be omitted. Security Considerations: TheuserAwareTokenNeverExpiresfield is designed to ensure that users explicitly acknowledge the security implications of creating tokens that never expire. Setting this field totrueindicates that the user understands the increased security risks and has made an informed decision to proceed. Note: TheuserAwareTokenNeverExpiresfield indicates that the user acknowledges they are creating a token that will never expire. It does not affect token behavior beyond indicating this acknowledgment.
Request
Responses
- 200
- 400
- 401
- 403
- 429
- 500
Created. Note - this is the only time Personal Access Tokens' secret attribute will be displayed.
Client Error - Returned if the request body is invalid.
Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.
Forbidden - Returned if the user you are running as, doesn't have access to this end-point.
Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
Internal Server Error - Returned if there is an unexpected error.