# API Tokens

Personal Access Tokens for programmatic access to your Korey workspace.

API tokens let scripts, CI jobs, and other tools talk to the [Korey API](/docs/developers/api-reference) on your behalf. Each token belongs to a single user and carries the scopes you choose.

## Create a token

1. Open **Settings → Profile → API Tokens**.
2. Click **Create token** in the top right.
3. Fill in the form:
   - **Name** — a label so future-you remembers what it's for (e.g. "CI pipeline", "local script").
   - **Scopes** — the permissions this token will carry. Defaults to all available scopes; select the minimum set the consuming tool needs. Use `threads:read:own` to restrict a token to only your own threads.
   - **Expiry** — pick 1 day, 7 days, 30 days, or **Never**.
4. Click **Create**. The raw token appears once in a dialog with a copy button.

  The token is shown one time only. After you close the dialog Korey stores a one-way hash, so the value can't be retrieved later. If you lose it, revoke it and create a new one.

## Revoking your own tokens

Revoke a token if it is no longer needed, if you suspect it has been leaked, or when rotating to a new token. Once revoked, any script or tool using it will receive `401 Unauthorized` on its next request.

1. Open **Settings → Profile → API Tokens**.
2. Find the token and click **Revoke**.
3. Confirm in the dialog that appears.

The token is invalidated immediately. This action cannot be undone — create a new token if you need access again.

## Admin: workspace token management

Org admins can view and revoke **all** active tokens across the workspace — PAT and OAuth — from a single page.

1. Open **Settings → Organization → API Tokens** (admin only).
2. The table shows every active token: name, owner, type, last used, and created date.
3. Use the search box to filter by token name or owner, or use the **Type** dropdown to narrow to Personal or OAuth tokens.
4. Click **Revoke** on any row and confirm the dialog to immediately invalidate that token.