Skip to main content

How to manage API tokens

The API Tokens dashboard lets admins create, monitor, and revoke tokens that authenticate calls to the PlusPlus REST and GraphQL APIs. Tokens are bound to the issuing admin, support configurable expirations, and power integrations and automations.

Written by Michael Wallace

Scenario

As an admin, you want to issue API tokens for integrations, automations, or AI agents that call the PlusPlus API; track which tokens are in use; and revoke tokens that are no longer needed.

Solution

API tokens are managed from the API Tokens dashboard, which is available to admins only.

View existing tokens

  1. Open the profile menu and select Dashboard.

  2. Select API Tokens from the left sidebar.

The dashboard lists all tokens issued for your tenant. Each row shows:

  • Name — the label given to the token at creation.

  • Key Prefix — the first 8 characters of the token, used to identify it without exposing the full secret.

  • Created by — the admin who issued the token.

  • Created — the date the token was issued.

  • Last used — the most recent time the token authenticated a request, or Never if it has not yet been used.

  • Expires — the token's expiration date, or Never.

  • StatusActive or Revoked.

The table shows 15 tokens per page and can be sorted by name or creation date.

Create a token

  1. From the API Tokens dashboard, select Create token.

  2. The Create API token dialog opens.

  3. Enter a Token name (required, up to 128 characters).

  4. Select an Expiration from the dropdown:

    1. 30 days

    2. 60 days

    3. 90 days

    4. 1 year

    5. Never

  5. Select Create Token

The full token appears once on screen, with a Copy button. Copy it to your secrets manager immediately. After you close the dialog, the full token cannot be retrieved again — only the Key Prefix remains visible from the dashboard.

Revoke a token

  1. From the API Tokens dashboard, locate the token you want to revoke.

  2. Open the context menu (button with three dots) for that token and select Revoke.

  3. Confirm the action.

The token's status changes to Revoked and subsequent API requests authenticated with it fail. Revocation cannot be undone. To restore access, create a new token.

Go deeper

Permissions and visibility

The API Tokens dashboard is admin-only. Admins see all tokens issued for the tenant, regardless of which admin created them.

A token inherits the permissions of the admin who created it. When the token is used to call the API, the request is evaluated against that admin's role and access. If the issuing admin's account is removed or has its role changed, the token's effective permissions change accordingly. For this reason, treat token issuance as a privileged action and revoke tokens belonging to admins who change roles or leave the organization.

Token format and storage

When you create a token, PlusPlus generates a random secret, stores a SHA-256 hash of it, and records the first 8 characters of the secret as the Key Prefix. PlusPlus never stores the full token in plaintext, and the full value cannot be retrieved after the create dialog closes. Always store the token in a secrets manager (for example, Vault or AWS Secrets Manager) rather than in source code or shared documents.

Usage tracking

Each authenticated API request updates the token's Last used timestamp, throttled to once per 60 seconds. Use this column to identify stale or unused tokens that are candidates for revocation.

What you cannot do today

  • Tokens cannot be renamed after creation. To change the name, revoke the token and create a new one.

  • Token expiration cannot be edited after creation. To change the expiration, revoke the token and create a new one.

  • Revoked tokens cannot be reactivated or regenerated. Create a new token instead.

Related Articles
People Integration: SCIM
Setting Up and Managing Per-User Tokens
Integrating Glean with PlusPlus
Release Notes: Nov 2024 - Channels, Glean, GraphQL, Badges, & Track updates
Agent API – Getting Started
Did this answer your question?