API Keys (Personal Access Tokens)
Tenantx supports personal API tokens backed by Laravel Sanctum. Users can create tokens to authenticate programmatic access to the same API used by the frontend.
Permissions Required
| Action | Permission |
|---|---|
| List tokens | api_keys.read |
| Create token | api_keys.create |
| Revoke token | api_keys.delete |
These permissions are assigned to organization_admin and admin roles by default. See PERMISSIONS.md for role definitions.
API Endpoints
All endpoints require Authorization: Bearer <token> + workspace.context middleware (pass workspace_id query param).
List tokens
GET /api/api-tokens
Returns all tokens for the authenticated user (IDs, names, last used, created). Note: The raw token value is never returned after creation.
Create token
POST /api/api-tokens
Content-Type: application/json
{ "name": "My Integration" }
Returns { id, name, token, abilities, created_at }.
The token field is only returned once — store it securely.
Revoke token
DELETE /api/api-tokens/{token_id}
Frontend
The API keys UI lives at /settings/api-keys (if the route is registered in your app).
Hook: useApiTokens in frontend/src/hooks/useApiTokens.ts.
Security Notes
- Tokens are stored hashed in
personal_access_tokens(Sanctum's table). - Tokens inherit the user's
organization_idscope — they cannot access other orgs. - Revoke tokens that are no longer needed.
- Treat tokens like passwords — never log or expose them in URLs.