Personal Access Token for Authentication

Overview

This topic describes how to create and use Personal Access Tokens (PAT).

PATs are used as an alternative to passwords for authenticating with Digital.ai Deploy. You can use PATs with public APIs and webhook endpoints.

caution

Personal Access Token (PAT) Support and SSO Considerations

PATs are supported for internal, LDAP, and SSO users. However, organizations can choose to disable PAT creation for SSO users via the Settings page.

This is especially useful for organizations using Single Sign-On (SSO) systems like Office 365, Okta, or Azure AD that want to enforce centralized identity governance. If PATs remain enabled for SSO users, those tokens can continue to grant access even after:

• The user is disabled or deleted in the SSO provider.
• The user’s group memberships or roles are updated.

Since Digital.ai Release and Deploy only update user roles or status when a user logs in via SSO, any existing PATs will retain the last known access level. This may result in outdated or unauthorized access.

To ensure secure access control, organizations may disable PAT generation for SSO users, so that:

• All UI and API access always reflects the current SSO status.
• No orphaned tokens can bypass role or access changes managed via the SSO provider.

For external users, use OIDC-based authentication instead. See Configure OpenID Connect (OIDC) Authentication for Deploy for more information.

Managing Personal Access Tokens

Learn how to create, configure, and manage your Personal Access Tokens for secure authentication.

Creating a PAT

Follow these steps to generate a new Personal Access Token:

1. Log in to Digital.ai Deploy
2. Navigate to your profile by clicking your avatar in the top-right corner
3. Select Access tokens
4. Click Generate new tokens
5. In the Generate token panel:
   • Enter a descriptive Token name
   • Select a Token expiration period
6. Click Generate

important

Copy and store the token securely. The token will not be visible after you leave the page.

Managing Token Expiration

Understanding token expiration settings helps you maintain secure access while ensuring continuous service availability.

Expiration Options

• 7 days
• 30 days
• 45 days
• 60 days
• 1 year
• No expiration

Timezone Considerations

• Expiration dates are displayed in your local browser timezone
• The "Expires in" counter shows the exact remaining time, regardless of timezone
• This ensures consistent expiration tracking across different geographical locations

Deleting a Token

When a token is no longer needed, you can easily remove it to maintain security:

1. Locate the token in the Personal access tokens list
2. Click the Delete button
3. Confirm by clicking Delete token

Behavior When PATs Are Disabled for SSO Users

Digital.ai Deploy handles SSO users differently when PAT generation is disabled by an administrator.

SSO Users Without Existing Tokens

If an SSO user does not have any previously generated tokens and PAT creation is disabled, the Access Tokens page displays an informational message. No token list is shown, and token generation is not possible.

SSO Users With Existing Tokens

If the SSO user has existing tokens but PAT generation is disabled, the token list remains visible. However, the Generate new tokens button is disabled, and a banner is displayed to indicate the restriction.

Using Personal Access Tokens

Learn how to implement PAT authentication in different scenarios, from API calls to webhook configurations.

Authenticating with Public APIs Using PATs

You can use PATs for authentication with public APIs in the following ways:

• Pass PATs in API calls in place of a password
• Pass PATs in the header of an API call

note

PATs are supported for users authenticated through SSO.

Pass PATs in API Calls in Lieu of a Password

Example for basic HTTP authentication without a username:

curl -u :<pat> 'http://localhost:4516/api/v1/deployit' -i -X GET

Pass PATs in API Call's Header

Example for passing the token as part of the header:

curl --header 'x-deploy-personal-token: <pat>' 'http://localhost:4516/deployit/tokens/users' -i -X GET

Admin-Controlled Token Expiry for Personal Access Tokens

Users currently have the flexibility to set any expiration date for Personal Access Tokens (PAT) or even choose the No expiration option. However, there is a security risk as tokens may remain forever unnoticed in the system. To address this concern, administrators now have the capability to oversee and limit the expiration duration set by users for PATs. This allows admins to prevent the creation of prolonged or non-expiring PATs, ensuring better security practices. To learn more about this feature, see Personal Access Token for Authentication.

Navigate to System settings > General > Personal access tokens section to set the value using the Maximum token expiration duration drop-down list.

By default, the value is set to No expiration. The available values are as follows:

• 7 days
• 30 days
• 45 days
• 60 days
• 1 year
• No expiration

Notify Token Expiration Timelines

A column titled Expires in is added to provide visibility into the token expiration timelines.

The following list provides information about how the token expiration is notified:

• Never pill indicates the token does not have an expiration date.
• If the expiration date is greater than 5 days, the number of days before the expiration is displayed.
• If the expiration date is less than 5 days, a warning pill is displayed with the number of days remaining for expiration.
• If the expiration date is less than 24 hours, a warning pill is displayed with the message Less than 24 hours.
• If the expiry date is passed, an active pill is displayed with the message Expired.