--- title: "Personal access tokens" canonical_url: "https://docs.getdx.com/personal-access-tokens/" md_url: "https://docs.getdx.com/personal-access-tokens.md" last_updated: "2026-05-29" --- # Personal access tokens A personal access token (PAT) is a user-scoped token for authenticating with the [DX Web API](https://docs.getdx.com/webapi/overview/). PATs are recommended for individual users, the [DX CLI](https://docs.getdx.com/cli/), and AI agents that act on a user's behalf. For back-end integrations and machine-to-machine traffic, use an [organization token](https://docs.getdx.com/webapi/overview/#authentication) instead. Compared to an organization token, a PAT adds: - **Audit attribution.** DX records every action taken with a PAT against the user who issued the token, alongside the token name. - **Role-scoped permissions.** A PAT can only request scopes the user's role allows. A non-admin cannot mint a PAT that updates snapshots, for example. - **Per-token expiration.** Each PAT can be set to expire after a fixed window or on a custom date. ## Available scopes See [Roles & permissions](https://docs.getdx.com/roles/) for the full role list of available scopes. Elevated user roles unlock additional scopes — a workspace admin can issue a PAT with any account-supported scope, a scorecard admin can add `scorecards:write`, and a self-service admin can add `workflowRuns:writeEvents`. The token-creation form only displays scopes the current user is allowed to grant. ## Creating tokens 1. Click your avatar in top-right of DX and select **Settings**. 1. Scroll to the **Personal access tokens** section and click **Add personal access token**. 1. Enter a **Name** that describes where the token will be used—for example, `dx-cli-laptop` or `agent-experience-pipeline`. 1. Choose an **Expiration**: 7, 30, 60, or 90 days; a **Custom** date; or **No expiration**. 1. Select the **Scopes** the token needs. 1. Click **Create**. ## Using tokens Send the token in the `Authorization` header for any Web API request: ```bash curl -X GET https://api.getdx.com/catalog.entities.list \ --header 'Authorization: Bearer [PERSONAL_ACCESS_TOKEN]' ``` The same token works with the [DX CLI](https://docs.getdx.com/cli/) (`dx auth login --token `). ## Editing or revoking tokens 1. Click your avatar in top-right of DX and select **Settings**. 1. Scroll to **Personal access tokens** and click the token you want to manage. 1. Edit the **Name** or **Scopes**, or click **Delete** to revoke the token. Deleting immediately revokes access for any client using the token. Expirations cannot be extended; to renew, create a new token and update the consuming client. --- ## Sitemap [Overview of all docs pages](/llms.txt)