/Docs

Personal Access Tokens

Personal access tokens are long-lived credentials tied to your A vs B account. They authenticate the CLI tool when you run avsb login, and they can be used to make direct API requests on your behalf. Unlike session-based authentication, tokens work without a browser — making them suitable for developer tooling and automation.

What tokens are for

  • CLI authentication — the avsb command-line tool uses a token to authenticate with the A vs B API. When you run avsb login, you are prompted to paste a token. This is the primary use case.
  • Direct API access — if you are building a custom integration or script that calls the A vs B REST API, you can include a token in the Authorization header to authenticate the request.

Token format

All personal access tokens follow a consistent format: the prefix pat_ followed by a 64-character hexadecimal string. A token looks like this:

text
1pat_a3f8c2d1e5b9f04712c8a6e3d0b7f29e1a4c5d8f3e2b1a0c9d7f6e5b4a3c2d1

The pat_ prefix makes tokens easy to identify and easy to grep for in code reviews and secret scanning tools.

Creating a token

1

Open Account Settings

Click your account avatar or name in the top-right corner of the A vs B dashboard. Select Account Settings from the dropdown menu.
2

Go to the Auth Tokens tab

Inside Account Settings, click the Auth Tokens tab. You will see a list of any existing tokens and a button to create a new one.
3

Click Create Token

Click the Create Token button. A modal will appear asking you to give the token a name.
4

Enter a name

Give your token a descriptive name so you remember what it is used for. Examples: Laptop CLI, CI pipeline, Home dev machine. The name does not affect the token's permissions — it is just a label for your own reference.
5

Copy the token immediately

After clicking Create, the token value is displayed once and only once. Copy it to a safe location — a password manager is ideal. Once you close the modal, A vs B will never show you this token value again. If you lose it, you will need to delete the token and create a new one.
Copy the token now — it is only shown once
A vs B stores only a hashed version of your token for security. The plain-text value is shown only at creation time. There is no "reveal token" option after you close the creation dialog. If you lose your token, you must revoke it and create a new one.

Token limits

Each user account can have a maximum of 10 active tokens at a time. If you have reached the limit and need to create a new one, you must first revoke an existing token.

Using a token in the CLI

Run avsb login in your terminal. The CLI will prompt you to paste your personal access token:

bash
1$ avsb login
2Paste your personal access token: pat_a3f8c2d1...
3Logged in as jane@example.com (Acme Corp)

The token is stored securely in your system's credential store (the macOS Keychain on Mac, the Windows Credential Manager on Windows, or the ~/.avsb/credentials file on Linux). You will not need to paste it again unless you log out or revoke the token.

Using a token in API requests

Include the token in the Authorization header as a Bearer token:

Example API request
bash
1curl https://api.avsb.cloud/v1/experiments \
2  -H "Authorization: Bearer pat_a3f8c2d1e5b9f04712c8a6e3d0b7f29e1a4c5d8f3e2b1a0c9d7f6e5b4a3c2d1"

Last used timestamp

Each token in the Auth Tokens list shows a last used timestamp — the date and time the token was most recently used to make an authenticated request. This helps you identify which tokens are still in active use and which ones can be safely revoked.

Revoking tokens

To revoke a token, go to Account Settings → Auth Tokens and click the delete icon next to the token you want to remove. The token is immediately invalidated — any CLI sessions or API integrations using that token will stop working instantly.

There is no undo for revoking a token. If you revoke a token that is being used by your CLI, you will need to create a new token and run avsb login again.

Never share tokens or commit them to version control
A personal access token gives anyone who has it full access to your A vs B account. Treat it like a password:
  • Never paste it into Slack, email, or a shared document.
  • Never commit it to a Git repository — even a private one. Use environment variables for any automation.
  • Never share it with teammates — each person should create their own token.
If you suspect a token has been compromised, revoke it immediately and create a new one.