Access tokens let external systems, automation jobs, and integrations authenticate Hawzu API requests without using a person’s login credentials.
Access tokens are for API access only. They do not provide access to the Hawzu web experience.
Open access tokens from the workspace Security & Access area or the Access Tokens page.
The Access Tokens page shows the tokens available in the current workspace. The page helps workspace administrators review token ownership, token scope, expiry, and lifecycle state.
Each token has one access type.
Workspace tokens use a workspace role and can access workspace-level API resources according to that role.
Use workspace tokens when an integration needs workspace-level information or must work across the workspace.
Project tokens are assigned to one or more projects. Each project row has its own project role.
Use project tokens when automation should be limited to specific projects.
Project access is evaluated per project. A token with access to two projects can have different permissions in each project.
The table includes:
The label column is always visible. Other columns can be shown or hidden with the column visibility control.
Use search to find tokens by label, creator, or token identifier.
Available filters include:
Sorting is available for label, access type, created by, created date, expiry date, and status.
Tokens can be enabled or disabled.
An enabled token can authenticate API requests, as long as it has not expired and its assigned roles allow the requested action.
A disabled token cannot authenticate API requests. Disable a token when you want to pause access without permanently removing it.
Disabled tokens can be enabled again by users with the required access.
Tokens can have an expiry date or no expiry date.
Expiry options are selected when a token is created or edited. Tokens with no expiry are allowed, but Hawzu shows a security warning because long-lived tokens carry more risk.
When a token expires, systems using that token should stop authenticating successfully.
Users with the right access can:
Revoking a token removes access immediately and cannot be undone. Create a replacement token before revoking a token used by pipelines, scripts, or integrations.
Access token actions depend on workspace permissions.
The roles available in token role pickers are limited to roles that can be assigned to access tokens.