Personal access tokens

Personal access tokens (PATs) provide a secure way to authenticate with the fDeploy REST API without using cookie-based sessions. They are ideal for CI/CD pipelines, scripts, and other automated integrations.

How PATs work

Each token is tied to the user who created it and inherits that user’s roles and permissions. When a PAT is used to call the API, fDeploy authorizes the request as if the user were signed in — the same role-based access control applies.

Tokens are hashed with SHA-256 before storage. The raw token is only displayed once at creation time and cannot be retrieved afterward.

Creating a token

1. Navigate to Configuration → Access Tokens
2. Click Create token
3. Enter a descriptive name for the token
4. Optionally set an expiration date. If no expiration is set, the token remains valid until revoked.
5. Click Create
6. Copy the token immediately — it will not be shown again

Caution

Store your token securely. Anyone with the token can access the API with your permissions.

Using a token

Include the token in the Authorization header of your HTTP requests:

Authorization: Bearer fdp_...

Example using curl to upload a package:

curl -X POST https://yourfdeployserver/api/Package \
  -H "Authorization: Bearer fdp_your_token_here" \
  -H "Content-Type: multipart/form-data" \
  -F "OverWriteExisting=true" \
  -F "[email protected]"

Managing tokens

The access tokens page shows all tokens you have created, including:

• Name — the descriptive name you assigned
• Token prefix — the first few characters of the token for identification
• Status — Active, Expired, or Revoked
• Created — when the token was created
• Expires — when the token will expire (if set)
• Last used — when and from which IP address the token was last used

Administrators can toggle Show all users to view and manage tokens across all users.

Revoking a token

Click the revoke button next to any token to permanently disable it. Revoked tokens cannot be reused. Users can revoke their own tokens, and administrators can revoke any user’s token.

Token lifecycle

State	Description
Active	Token is valid and can be used for API authentication
Expired	Token has passed its expiration date and is no longer accepted
Revoked	Token has been manually revoked and is permanently disabled