Power Tokens
The Power Token API lets you create scoped access tokens tied to a specific user, org, project, and space.
Tokens carry a key_type permission flag to control read, write, or delete access. All endpoints require
an additional X-Server-Key header alongside the standard context headers.
Create Token
Issues a new power token for a given user with defined roles and access permissions.
Request Body
Send a single object (not wrapped in an array).
| Field | Type | Required | Description |
|---|---|---|---|
user_id | string | Yes | ID of the user this token is issued for |
roles | string | Yes | Comma-separated roles assigned to the token (e.g., user, admin) |
key_type | string | Yes | Permission level: r-- = read, -w- = write, --d = delete, rw- = read+write, rwd = full access |
name | string | Yes | Unique name identifier for the token |
description | string | No | Human-readable description of the token's purpose |
The X-Server-Key header is required for all Power Token endpoints in addition to the standard context headers.
Response
200 OK:
{
"org_id": "01KN9N1RREKT10YN0TVFM5J32H",
"power_token": "min_qqMU••••••••••••••••••••••••••••••••••••I4I",
"project_id": "01KN9N48WEKE1DP09DNYFXHMRR",
"space_id": "01KN9N66AV68PSND8WF547DRS3"
}
Store the returned power_token securely. It is not recoverable after creation.
List Tokens
Returns a paginated list of all power tokens for the authenticated org, project, and space.
Query Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
ps | integer | No | Page size — number of results per page. Default 10 |
pg | integer | No | Page number (zero-based). Default 0 |
format | string | No | Response format: json, xml, yml. Default json |
Response
200 OK:
[
{
"name": "prime-post-read-token",
"description": "read only token issued for prime posts app",
"power_token": "min_qqMU••••••••••••••••••••••••••••••••••••I4I",
"key_type": "r--",
"user_id": "01KN6SB2AAW3ZN85FW0W0TH6JW",
"user_roles": "user, admin",
"org_id": "01KN9N1RREKT10YN0TVFM5J32H",
"project_id": "01KN9N48WEKE1DP09DNYFXHMRR",
"space_id": "01KN9N66AV68PSND8WF547DRS3",
"created_at": "2026-04-06T08:53:57Z"
}
]
Delete Token
Permanently deletes a power token by its value. Pass the token as a query parameter.
Query Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
token | string | Yes | The full power token value to delete (e.g., min_...) |
Response
200 OK:
{
"code": 200,
"status": "OK",
"message": "token deleted successfully"
}
Required Headers
| Header | Description |
|---|---|
X-Org-Id | Organisation identifier |
X-Project-Id | Project identifier |
X-Space-Id | Space identifier |
X-User-Id | Authenticated user's identifier |
X-User-Roles | Comma-separated roles, e.g. users, admin |
X-Server-Key | Server-level key required for all Power Token endpoints |
Key Type Reference
| Value | Permissions |
|---|---|
r-- | Read only |
-w- | Write only |
--d | Delete only |
rw- | Read + Write |
rwd | Full access (Read + Write + Delete) |
Common Errors
| Code | Cause |
|---|---|
400 | Missing or invalid request body fields |
401 | Missing X-User-Id or X-Server-Key header |
403 | Unauthorized role or invalid server key |
404 | Token not found — check the token query parameter |
208 | A token with the same name already exists for this user |