Create an API token

curl --request POST \
  --url https://api.hq.zone/v1/api/tokens \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "name": "<string>",
  "expires_in_days": 123,
  "scopes": [
    "<string>"
  ]
}
'

{
  "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "name": "<string>",
  "scopes": [
    "<string>"
  ],
  "token": "<string>",
  "expires_at": "<string>"
}

Tokens

Create an API token

Creates a new personal access token for the authenticated caller, returning the plaintext token exactly once (it cannot be retrieved again) along with its id, name, scopes, and optional expiry. Accepts a name, an optional list of capability scopes (resource:action, e.g. documents:read; omitting scopes defaults to full non-admin access), and an optional expires_in_days (omitted means non-expiring). Each scope must be a known capability or legacy tier, and requesting the admin scope requires the caller to have the admin role. The token’s effective permissions are always clamped to the caller’s role at request time.

POST

api

tokens

Create an API token

curl --request POST \
  --url https://api.hq.zone/v1/api/tokens \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "name": "<string>",
  "expires_in_days": 123,
  "scopes": [
    "<string>"
  ]
}
'

{
  "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "name": "<string>",
  "scopes": [
    "<string>"
  ],
  "token": "<string>",
  "expires_at": "<string>"
}

Authorizations

Authorization

string

header

required

Personal Access Token. Send as Authorization: Bearer hq_pat_....

Body

application/json

name

string

required

expires_in_days

integer<int64> | null

Optional expiry; omitted = non-expiring manual PAT.

scopes

string[] | null

Requested capability scopes (resource:action, e.g. documents:read). Omitted = ["user"] (full non-admin access, back-compat). Each must be a known capability scope or a legacy tier; the effective set is still clamped to the caller's role at request time.

Response

The new token (plaintext shown once)

string<uuid>

required

name

string

required

scopes

string[]

required

token

string

required

The plaintext token - shown exactly once, never retrievable again.

expires_at

string | null

List API tokens Revoke an API token

⌘I