API Token (Personal Access Token)

API tokens, also called personal access tokens (PATs), solve a specific authentication problem: how do you let automated tools access your account when there is no browser to handle a login flow? A PAT is a secret string that acts as proof of identity. The client includes it in every request, and the server validates it against the user's account.

PATs differ from session cookies in important ways. Session cookies are short-lived and tied to a browser, while PATs are long-lived and work from any client. PATs can be scoped to limit what they can do: a read-only token cannot make changes, an AI-scoped token can only access AI-related endpoints, and a full-access token has the same permissions as the user. This granularity lets developers follow the principle of least privilege.

Revocation is the safety mechanism. If a token is leaked or no longer needed, the user revokes it instantly and all clients using that token are immediately denied access. This is safer than password-based auth, where a leaked password requires a full credential rotation.