API tokens
What a PAT is
Section titled “What a PAT is”A personal access token (PAT) lets a script authenticate to the OttoTester API as you — without your password, and without a browser session. Use one to trigger runs from CI, pull results into a dashboard, or drive any other automation.
A PAT acts as you. It resolves your current permissions on every request — so if your workspace role changes, every token you hold changes with it. There’s no separate permission set baked into a token. Treat a PAT like a password.
Generate a token
Section titled “Generate a token”PATs live in Settings → Account → Access tokens. Every role can create them — read-only programmatic access (a CI status check, a dashboard) is a legitimate need for a reviewer too.
When you create a token you give it a name and an expiry (default 30 days; you can choose longer, or never). OttoTester shows you the full token once — copy it then. After the dialog closes it’s unrecoverable; the system keeps only a hash and the first and last few characters, so you can still recognize the token in the list.
Use a token in CI
Section titled “Use a token in CI”Pass the token as a header on every API request — either form works:
Authorization: Bearer <token>x-api-key: <token>Store it as a secret in your CI system — never commit it to the repo. See Connect to CI/CD for the full pipeline setup.
Revoke a token
Section titled “Revoke a token”Revoke a token any time from the same Access tokens screen. Revocation is immediate: the next request using that token gets a 401. The list also shows each token’s last-used time, so you can spot one that’s no longer needed.
Give each integration its own token. If one leaks, you revoke just that one and nothing else is disturbed.
Related
Section titled “Related”- Reference → Roles and permissions, Environment variables