Set Up Personal Access Tokens

How to create and use personal access tokens for automation and non-interactive API access.

Personal access tokens are the supported credential for external API usage. Use them for scripts, backend services, generated clients, and operational tooling.

PATs are sent directly as bearer credentials:

curl -H "Authorization: Bearer $PIX_PAT" "$API_BASE/v1/auth/tokens"

Do not use browser session cookies for external clients. Cookies are tied to interactive session behavior, refresh rotation, and browser CSRF protections.

Create A Token

Authenticated users can create PATs through POST /v1/auth/tokens.

{
  "name": "nightly-import",
  "expiresAt": "2026-12-31T23:59:59Z",
  "permissions": []
}

The API returns the full token once. Store it in the secret manager for the calling system.

List And Revoke

Use GET /v1/auth/tokens to list token metadata. The secret value is not returned after creation.

Use DELETE /v1/auth/tokens/{tokenId} to revoke a token. Revocation takes effect for future requests.

Scalar

Scalar still supports bearer authentication. Paste a PAT into the bearer auth field when testing external-client behavior. If you are signed in through the browser session on the same API host, Scalar requests can also use the HttpOnly session cookie automatically.

On this page