Skip to main content



Tokens are used as bearer tokens to authenticate access to Pangea services. Tokens are provisioned per project and can be given scopes that provide access to each Pangea service individually. Pangea recommends limiting token scopes to only those required by the application using the tokens.

Creating a token

Tokens can be created in Project Settings -> Tokens or from the token section of each service dashboard. If creating a token from the token section of a service dashboard, the token will be created with that service already selected.

The create token modal will ask for a token name, expiration date, and service scopes.

Token name

The token name is a friendly name that will be referenced from within the Pangea Admin Console. This will not be the id or name that is sent with API requests. The name is provided to make charts and metrics more readable and to make discussing tokens between developers easier.

Expiration date

Most organizations are required to cycle tokens regularly to help mitigate the security risks of leaking a token in the wild. The expiration date will invalidate a token after the date provided has passed.


The services determine the access that a token has. A token can be provided access to all services, or it can be provisioned access on a per-service basis.

  • All services
    • This option provides the token access to all current and future services. This means that when Pangea releases new services in the future, new tokens need not get provisioned to allow access to them.
  • Individual Services
    • Selecting services individually gives the token access only to the selected services. This differs from All services because even if all services are selected individually, the token would still not have access to new services released to Pangea after the token was created.

Obtaining Token IDs

Token IDs can be copied by clicking the copy icon from any token listing. Token listings can be found in Project Settings -> Tokens as well as from any service dashboard.

`Note: Service dashboards will only display tokens that have access to the service in question (e.g., the Audit dashboard will only display tokens that have access to the audit service).

Revoking a token

Tokens can be revoked by clicking the circled minus symbol at the right-most side of a token listing.

`Note: Revoking a token will cause any code using the token to cease functioning.

Expiring tokens

Tokens expiring soon will appear red, with a warning icon next to them. This draws attention to the fact that the token is expiring and may cause code to cease functioning unless a new token is created and used.

Cloning a token

Tokens can be cloned from the Project Settings -> Tokens area. Cloning a token allows admins to create new tokens with the same characteristics as existing ones. This can be useful when replacing an expiring token with a new token.

Default tokens

Service dashboard token listings will have an option for a default token. This token will be used for certain functionality from within the Pangea Admin Console (e.g., searching audit logs in the log viewer). Additionally, the default token will be the default selected token when using the interactive Pangea API reference.

Was this article helpful?

Contact us