AuthN API Credentials
To access AuthN APIs , create service tokens or use OAuth 2 clients.
To manage access, go to the service page in your Pangea User Console and click API Credentials in the left-hand navigation sidebar.
Service Tokens
You can manage service API tokens under the Service Tokens tab on the AuthN API Credentials page.
Service API tokens are used as bearer tokens to authorize access to Pangea service APIs. They are provisioned per project and can grant full or partial access to one or more services. Pangea recommends limiting the token scope to only what your application requires.
Token list
When you enable AuthN, you can create a service token associated with it. This token appears in the Service Tokens list and is marked as the Default Token. The default token is also shown on the service Overview page. Any additional tokens associated with the service are also listed.
In the service token list, you can:
- View and copy the token value.
- Go to the Vault page to define the token rotation policy, rotate the token manually, copy its Vault ID, view token versions, and enable or disable the token. You can use the token ID to retrieve its value dynamically using the Vault APIs in your application.
- Set the token to be watched for changes.
- Access additional actions via the triple-dot menu:
- Set as default - Designate this token as the default for the service.
- Edit token - Update token scopes or associate the token with other enabled services.
- Copy token - Use this token as a template to create a new one.
- Delete token - Revoke access granted by this token.
Create or update token
Click the Create token button or select Copy token from the triple-dot menu to define a new token. To update an existing token, select Edit token from the menu.
- Token Name - A readable identifier shown in the Name column of the token list, as well as in charts and metrics that track token usage.
- Token Expiration Date - To help reduce the risk of token leakage, set an expiration date to limit the token’s lifespan.
- Select your services and endpoints - Choose one or more enabled services this token can access. If a service supports fine-grained access, a gear icon appears next to its name. Click the gear icon to configure:
- Manage Endpoint Access - Grant access to all or selected endpoints of the service. Hover over a scope to see the endpoints it enables.
- Manage Config Access (for services that support multiple configurations) - The Secure Audit Log and Redact services support multiple configurations to handle different use cases within a single Pangea project. You can associate the token with one or more of these configurations. Learn more in the Secure Audit Log documentation.
- Manage Field Restrictions (Secure Audit Log only) - Each Secure Audit Log configuration has its own schema. You can restrict token access to specific schema fields within the associated configurations.
Click the Create token or Update token button in the dialog to apply your changes.


Service token configuration options for AuthN
Service Clients
Click the Service Clients tab to manage service API tokens using OAuth 2 clients.
Service-level OAuth 2 clients can issue access tokens using the Client Credentials grant to authorize full or partial access to the APIs of one or more Pangea security services. Pangea recommends limiting the scope of each access token to only what your application requires.
The client list includes all clients that can grant access to the AuthN APIs.
Create service client
-
Click the Create service client button.
-
In the Create a client dialog, configure the client:
- Name - Enter a name that will appear in the Client Name column in the client list. The name must be unique within the project.
- Platform Client secret rotates every - Specify how often the client secret is rotated in Vault.
- Access tokens expire in - Set the lifetime of access tokens issued by the client.
- Select services - Choose one or more enabled services that tokens from this client can access. After selecting a service, click the gear icon to select the scope values the client can request to access the service's API endpoints.
-
Click Create client.

