API Tokens

Environment Variables

CONCH_TOKEN

specify the API token
CONCH_ENV

production, staging, or development (defaults to production)
CONCH_URL

if CONCH_ENV=development, specifies the API’s URL

profile create --name :name --token :token

create a profile using a token. user names and other parameters are ignored
profile set token :token

converts a profile to token auth, using the provided token
profile upgrade

converts a profile to token auth by auto-generating a token which is never shared to the user
profile revoke-tokens --tokens-only

when revoking one’s access abilities, one can revoke only API tokens instead of both API tokens and logins
profile change-password --purge-tokens

when changing one’s paswords, one can also purge all API tokens at the same time
user tokens

list all API tokens
user token create :name

create a token with the given name, displaying the token value
user token get :name

get basic data (including last used time) about a token. Does not show the token value
user token rm :name

remove a token by name

admin user :id tokens

List a user’s API tokens
admin user :id token get :name

Get a user’s API token by name. Does not show the token value
admin user :id token rm :name

Remove a user’s token by name
admin user :id revoke --tokens-only

when revoking a user’s access, an admin can revoke just their API tokens
admin user :id reset --revoke-tokens

when reseting a user’s passwords, an admin can also revoke their API tokens

The API token is obfuscated in the config file. It is not possible to copy that value out of the config and use it in another tool.

DISABLE_API_TOKEN_CRUD

removes all commands for creating or modifying API tokens
TOKEN_OBFUSCATION_KEY

used in the obfuscation of tokens in the config file. While a default is provided, it is strongly recommended that this be customized in the build environment. NOTE: If this value is ever changed, it will render the tokens in user configs completely unusable.