Machine Account Tokens
Device and service accounts are machine identities — they have no OAuth login and authenticate exclusively via API tokens.
How Machine Tokens Differ from User Tokens
| User Token | Machine Account Token | |
|---|---|---|
| Issued to | A human user | A device or service account |
| Scopes | User's current group memberships | Machine account's group memberships |
| Lifespan | Typically short- to medium-lived; rotated periodically | Long-lived; intended for persistent programmatic use |
| OAuth login | Yes (fallback) | No — token is the only auth method |
The key difference is scope source: a user token reflects the issuing user's permissions, while a machine account token reflects the permissions configured on the machine account itself via its group memberships. The admin who creates the token does not grant their own permissions to it.
Creating a Machine Account Token
- Open the Dashboard and navigate to Accounts.
- Select the device or service account you want to create a token for.
- Click Create Token and optionally enter a description.
- Copy the token immediately — it is shown only once.
Machine account tokens use the same stx_live_<ULID>_<random> format as user tokens.
Example: CI/CD Pipeline
A GitHub Actions workflow that pushes build artifacts needs write access to a specific repository. The correct setup is:
- Create a service account named
github-actions. - Add it to a group (e.g.,
nix-contributors) withrepo:nix-cache:writescope. - Create a token for the
github-actionsaccount. - Store the token as a GitHub Actions secret (
STOWIX_TOKEN).
The workflow now authenticates as github-actions — not as any individual developer — and has
exactly the scopes defined on its group.
Revoking Machine Tokens
Revoking machine account tokens works exactly like user tokens:
- Individual revoke: Go to Dashboard → Accounts → [account name] and click Revoke next to the token.
- Revoke all: Click Revoke All to invalidate every token for that machine account at once.
Revocation is immediate.