API tokens let scripts, CI jobs, and other tools talk to the Korey API on your behalf. Each token belongs to a single user and carries the scopes you choose.
Create a token
- Open Settings → Profile → API Tokens.
- Click Create token in the top right.
- Fill in the form:
- Name — a label so future-you remembers what it’s for (e.g. “CI pipeline”, “local script”).
- Scopes — the permissions this token will carry. Defaults to all available scopes; select the minimum set the consuming tool needs. Use
threads:read:ownto restrict a token to only your own threads. - Expiry — pick 1 day, 7 days, 30 days, or Never.
- Click Create. The raw token appears once in a dialog with a copy button.
Revoking your own tokens
Revoke a token if it is no longer needed, if you suspect it has been leaked, or when rotating to a new token. Once revoked, any script or tool using it will receive 401 Unauthorized on its next request.
- Open Settings → Profile → API Tokens.
- Find the token and click Revoke.
- Confirm in the dialog that appears.
The token is invalidated immediately. This action cannot be undone — create a new token if you need access again.
Admin: workspace token management
Org admins can view and revoke all active tokens across the workspace — PAT and OAuth — from a single page.
- Open Settings → Organization → API Tokens (admin only).
- The table shows every active token: name, owner, type, last used, and created date.
- Use the search box to filter by token name or owner, or use the Type dropdown to narrow to Personal or OAuth tokens.
- Click Revoke on any row and confirm the dialog to immediately invalidate that token.