Access tokens can authenticate Hawzu API requests without interactive login. Treat them like sensitive credentials.
Create tokens with only the access they need.
Use names that make ownership and purpose obvious.
Good examples:
ci-regression-runnernightly-test-syncrelease-report-jobAvoid vague names like token, new token, or automation.
Prefer expiring tokens.
Shorter expiry windows reduce risk if a token is exposed. Use Never Expires only when the system using the token cannot support regular rotation.
When a token must have no expiry, keep it carefully and set a regular review reminder outside Hawzu.
Keep tokens only in secure locations, such as:
Do not keep tokens in:
Use Disable token when you want to pause access and test impact.
Disabled tokens cannot authenticate requests, but they can be enabled again later.
Use Revoke Token when a token is no longer needed, has been replaced, or may have been exposed.
Revoking is permanent. Any pipeline, script, or integration using that token stops working immediately.
To rotate a token:
Review tokens on a regular schedule.
Look for: