> ## Documentation Index
> Fetch the complete documentation index at: https://docs.gavai.io/llms.txt
> Use this file to discover all available pages before exploring further.

# API tokens

> Create, inspect, rotate, and revoke workspace-scoped API keys.

export const ErrorTable = ({errors}) => <div className="gv-error-table" role="table" aria-label="Errors and fixes">
    <div className="gv-error-table__head" role="row">
      <span className="gv-error-table__col-head" role="columnheader">Error</span>
      <span className="gv-error-table__col-head" role="columnheader">Cause</span>
      <span className="gv-error-table__col-head" role="columnheader">Fix</span>
    </div>
    {errors.map((err, i) => <div className="gv-error-table__row" role="row" key={i}>
        <code className="gv-error-table__code" role="cell">{err.code}</code>
        <div className="gv-error-table__cause" role="cell">{err.cause}</div>
        <div className="gv-error-table__fix" role="cell">{err.fix}</div>
      </div>)}
  </div>;

export const Def = ({term, type, defaultValue, required, children}) => <>
    <dt className="gv-def-list__term">
      <span className="gv-def-list__name">{term}</span>
      {type && <span className="gv-def-list__type">{type}</span>}
      {required && <span className="gv-def-list__required">required</span>}
      {defaultValue !== undefined && <span className="gv-def-list__default">
          default <code>{defaultValue}</code>
        </span>}
    </dt>
    <dd className="gv-def-list__description">{children}</dd>
  </>;

export const DefList = ({children}) => <dl className="gv-def-list">{children}</dl>;

export const ExpectedOutput = ({caption = "Expected output", children}) => <div className="gv-output">
    <div className="gv-output__label">
      <svg className="gv-output__icon" viewBox="0 0 24 24" width="14" height="14" fill="none" stroke="currentColor" strokeWidth="2" strokeLinecap="round" strokeLinejoin="round" aria-hidden="true">
        <polyline points="15 10 20 15 15 20" />
        <path d="M4 4v7a4 4 0 0 0 4 4h12" />
      </svg>
      <span>{caption}</span>
    </div>
    <div className="gv-output__body">{children}</div>
  </div>;

export const APIBadge = ({method = "GET", path, scope}) => {
  const m = method.toUpperCase();
  return <span className="gv-api-badge">
      <span className={`gv-api-badge__method gv-api-badge__method--${m.toLowerCase()}`}>
        {m}
      </span>
      <code className="gv-api-badge__path">{path}</code>
      {scope && <span className="gv-api-badge__scope">
          <span className="gv-api-badge__scope-label">scope</span>
          <code>{scope}</code>
        </span>}
    </span>;
};

export const Eyebrow = ({label, tone = "default"}) => <div className={`gv-eyebrow gv-eyebrow--${tone}`}>
    <span className="gv-eyebrow__bar" aria-hidden="true" />
    <span className="gv-eyebrow__label">{label}</span>
  </div>;

<Eyebrow label="RESOURCE" />

API tokens — also called workspace API keys — are the primary credential for machine-to-machine access. Each token is bound to a single workspace and carries an explicit scope set chosen at creation. Live keys (`gak_live_*`) target production; test keys (`gak_test_*`) target a sandbox with isolated data and no real Stripe charges. The secret value is returned exactly once at creation — there is no way to retrieve it later. By the end of this page you will know which endpoints exist and the lifecycle rules that govern them.

## What a token looks like

<ExpectedOutput>
  ```json theme={null}
  {
    "id":           "tok_01H...",
    "name":         "ci-deploy",
    "scopes":       ["pages:write", "deployments:write"],
    "mode":         "live",
    "created_at":   "2026-01-15T09:00:00Z",
    "last_used_at": "2026-05-10T14:32:00Z"
  }
  ```
</ExpectedOutput>

Metadata is freely readable; the secret never appears on a read.

## Endpoints

<APIBadge method="GET" path="/v1/workspaces/{slug}/tokens" scope="tokens:read" />

List all tokens in the workspace.

<APIBadge method="POST" path="/v1/workspaces/{slug}/tokens" scope="tokens:write" />

Create a new API token. Secret returned once.

<APIBadge method="GET" path="/v1/workspaces/{slug}/tokens/{id}" scope="tokens:read" />

Fetch token metadata. Never the secret.

<APIBadge method="POST" path="/v1/workspaces/{slug}/tokens/{id}/rotate" scope="tokens:destructive" />

Issue a new secret and invalidate the old one.

<APIBadge method="DELETE" path="/v1/workspaces/{slug}/tokens/{id}" scope="tokens:destructive" />

Permanently revoke the token.

## Rules to know before you call

<DefList>
  <Def term="Secret shown once">`POST /tokens` returns `{ token, key }`. The `key` field appears exactly once — store it in your secret manager immediately.</Def>
  <Def term="Scope grant cap">You cannot mint a token with more permissions than your caller token holds. The mint must hold each scope you grant, or a broader scope that implies it.</Def>
  <Def term="Rotation behaviour">`POST /tokens/{id}/rotate` returns a fresh secret. The old secret stops working immediately. Update consumers before triggering rotation.</Def>
  <Def term="Revocation">`DELETE /tokens/{id}` returns `204` and is permanent — there is no undelete.</Def>
</DefList>

## Common errors

<ErrorTable
  errors={[
{ code: "403 insufficient_scope", cause: "Your caller token does not hold one or more scopes you are trying to grant — or rotation/revoke without `tokens:destructive`.", fix: "Mint a caller token with `tokens:write` (mint) or `tokens:destructive` (rotate/revoke) plus every scope you want to grant." },
{ code: "409 conflict", cause: "Token name already in use in this workspace.", fix: "Pick a unique name within the workspace." },
]}
/>

## Related

<Card title="Authentication" icon="lock" href="/api-reference/authentication">
  How keys and OAuth session tokens work, including the scope model and rotation discipline.
</Card>
