/Docs

API Tokens

Personal access tokens let you authenticate with the A vs B CLI and REST API without using your email and password. Each token belongs to your account personally and carries the same permissions as your role in the organization.

What are personal access tokens?

A personal access token (PAT) is a long, randomly generated string that acts as a credential. You pass it in API requests or CLI commands instead of your password. Tokens are useful when:

  • You want to automate tasks using the A vs B CLI in a script or CI/CD pipeline
  • You are building a tool or integration that calls the A vs B REST API programmatically
  • You want to grant a specific tool access to your account without sharing your real password

Tokens can be revoked at any time without affecting your account password or other tokens.

Token format

All personal access tokens start with the prefix pat_ followed by a long random string — for example: pat_abc123xyz.... This prefix makes it easy to identify A vs B tokens if they appear in logs or configuration files.

Creating a token

1

Open Account Settings

Click your avatar or initials in the bottom-left corner of the sidebar, then click Account Settings.
2

Go to the Auth Tokens tab

Click the Auth Tokens tab at the top of the Account Settings page.
3

Click Create Token

Click the Create Token button. A dialog will appear.
4

Enter a name

Give the token a descriptive name that explains what it will be used for — for example, "CI/CD pipeline", "Local development CLI", or "Data export script". The name is only for your reference and does not affect the token's behavior.
5

Copy the token immediately

After clicking Generate, your new token is displayed once. Copy it immediately and store it in a secure location — for example, in your password manager, a secrets manager, or your CI/CD platform's environment variables. The token will not be shown again after you close or dismiss the dialog.
Save your token immediately
Your token is shown only once at the moment it is created. It cannot be retrieved later — if you lose it, you will need to revoke it and create a new one. Never paste a token into a chat message, email, or code repository.

Token limit

Each user can have a maximum of 10 personal access tokens active at one time. If you reach the limit, revoke a token you no longer need before creating a new one.

Viewing your tokens

The Auth Tokens tab lists all your active tokens. For each token you can see:

  • Name — the label you gave the token when creating it
  • Created — when the token was generated
  • Last used — the most recent time this token was used to authenticate a request, shown as a relative time (e.g., "3 days ago"). If the token has never been used, this shows "Never".

The token value itself is not shown in the list — only the name and metadata. This is intentional: if someone gains access to your account, they cannot see your existing tokens.

Revoking a token

To revoke a token, click the Revoke button next to it in the token list and confirm the action. Revocation is immediate — any script or tool using that token will immediately start receiving authentication errors. Create a new token and update your tool if you need to restore access.

Rotate tokens regularly
Even if a token has not been compromised, it is good security practice to revoke old tokens and create new ones periodically — especially for tokens that have been in use for many months. Check the Last used timestamp to identify tokens that are no longer actively used and can be safely revoked.