User API Tokens

API tokens let you authenticate as yourself programmatically — from the CLI, scripts, or CI pipelines running under your identity.

Token Format

All Stowix tokens use the format stx_live_<ULID>_<random>, where:

• <ULID> encodes the token's creation timestamp and serves as the database lookup key
• <random> is 32 bytes of cryptographically secure random data, base64url-encoded

Example:

stx_live_01JABCDEF1234567890ABCDEF_Kw3mZ9xRvN2pLqYfBsHtUeAcDgJiOlXn

The ULID prefix makes tokens lexicographically sortable by creation time. The random suffix ensures the token cannot be guessed even if the ULID is known.

Creating a Token

1. Open the Dashboard and navigate to Settings → API Tokens.
2. Click Create Token.
3. Optionally enter a description to identify the token's purpose (e.g., laptop-cli, github-actions-read).
4. Copy the token immediately — it is shown only once.

Token Permissions

A user token carries the same scopes as the issuing user's group memberships, evaluated at the time of each API call. There is no snapshot of permissions at creation time: if your group memberships change, all existing tokens immediately reflect the new set of scopes.

Revoking a Token

To revoke an individual token:

1. Go to Dashboard → Settings → API Tokens.
2. Find the token you want to invalidate and click Revoke.

Revocation is immediate — the token stops working the moment it is revoked.

Revoking All Tokens

Click Revoke All on the API Tokens page to invalidate every token associated with your account at once. Use this if you suspect a token was compromised or want to rotate all credentials quickly.

Security

• Treat tokens like passwords. Anyone with your token can act with your permissions.
• Never commit tokens to version control.
• Store tokens in environment variables or a secrets manager (e.g., GitHub Actions Secrets, HashiCorp Vault, 1Password).
• Use the description field to make it easy to identify and revoke specific tokens later.