#Access Token Security Best Practices
Access tokens provide powerful, programmatic access to Hawzu APIs. Because they bypass interactive login and MFA, they must be handled with extra care. This guide outlines best practices to keep your workspace and projects secure while using access tokens.
#Core Security Principles
Always grant only the minimum permissions required.
- Assign the lowest possible project role
- Restrict tokens to only the projects they need
- Avoid creating high-privilege tokens unless absolutely required
#Token Creation Best Practices
#Use Clear, Descriptive Names
Always name tokens clearly so their purpose is obvious.
Examples:
- ci-regression-runner
- nightly-report-generator
- jira-sync-service
#Set Expiry Dates Whenever Possible
Short-lived tokens reduce long-term risk, especially for temporary integrations and vendors.
#Token Storage & Usage
#Never Hardcode Tokens
Do not store tokens in:
- Source code
- Git repositories
- Documentation or screenshots
Always use environment variables or secret managers.
#Use Secure Storage
Store tokens only in:
- Environment variables
- CI/CD secret managers
- Cloud secret managers
#Monitoring & Maintenance
#Rotate Tokens Regularly
Recommended rotation:
- High-risk automation: 30–60 days
- Standard integrations: 90 days
Immediately revoke tokens if exposed, leaked, or no longer needed.
#Environment Strategy
Use separate tokens for development, staging, and production.
#Logging & Visibility
Ensure tokens never appear in logs or error messages.
#Common Mistakes to Avoid
- One token for everything
- Excessive permissions
- No rotation
- Plaintext storage
- Forgotten tokens
#Next Steps