REST API

API tokens

Self-manage the current team's personal access tokens over the API — the twin of the Developers settings page. Tokens are scoped to the acting token's team, so you only ever see and manage tokens minted for that team.

All endpoints require Authorization: Bearer {token}. See Authentication for how a token is bound to its team.

List tokens

GET /api/tokens

List the team's active (non-revoked) tokens, newest first.

Response — flat JSON array of:

Field Type Description
id string Token id (used to revoke it).
name string The name given at creation.
last_used_at string (ISO 8601) | null When the token last authenticated a request.
created_at string (ISO 8601) | null When the token was created.

Status: 200 OK.

Create a token

POST /api/tokens

Mint a personal access token bound to the current team.

Body parameters

Parameter Type Required Description
name string Yes Label for the token. Max 255 chars.

Response — the created token. Only this response includes the one-time plaintext token field, which is never persisted and can never be shown again. Status: 201 Created.

Field Type Description
id string Token id.
name string Token name.
last_used_at string (ISO 8601) | null Always null on a fresh token.
created_at string (ISO 8601) | null When the token was created.
token string The one-time plaintext bearer token. Copy it now.
curl -X POST https://clickbase.so/api/tokens \
  -H "Authorization: Bearer {token}" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -d '{"name": "Reporting script"}'
{
  "id": "42",
  "name": "Reporting script",
  "last_used_at": null,
  "created_at": "2026-07-11T12:00:00.000000Z",
  "token": "eyJ0eXAiOiJKV1QiLCJ..."
}

Revoke a token

DELETE /api/tokens/{token}

Revoke a token. Resolved through the team, so a foreign/unknown id returns 404.

Path parameters

Parameter Type Required Description
token string Yes The token id (from the list or create response).

Status: 204 No Content.