Skip to content

API tokens

A personal access token (PAT) lets a script authenticate to the OttoTester API as you — without your password, and without a browser session. Use one to trigger runs from CI, pull results into a dashboard, or drive any other automation.

A PAT acts as you. It resolves your current permissions on every request — so if your workspace role changes, every token you hold changes with it. There’s no separate permission set baked into a token. Treat a PAT like a password.

PATs live in Settings → Account → Access tokens. Every role can create them — read-only programmatic access (a CI status check, a dashboard) is a legitimate need for a reviewer too.

When you create a token you give it a name and an expiry (default 30 days; you can choose longer, or never). OttoTester shows you the full token once — copy it then. After the dialog closes it’s unrecoverable; the system keeps only a hash and the first and last few characters, so you can still recognize the token in the list.

Pass the token as a header on every API request — either form works:

Authorization: Bearer <token>
x-api-key: <token>

Store it as a secret in your CI system — never commit it to the repo. See Connect to CI/CD for the full pipeline setup.

Revoke a token any time from the same Access tokens screen. Revocation is immediate: the next request using that token gets a 401. The list also shows each token’s last-used time, so you can spot one that’s no longer needed.

Give each integration its own token. If one leaks, you revoke just that one and nothing else is disturbed.