1. Docs
  2. Reference
  3. REST API Docs
  4. Access Tokens

Access Tokens

    Access Tokens are credentials used to authenticate with the Pulumi Cloud API. The Access Tokens API covers both personal access tokens (PATs) for individual users and organization-level tokens for team use.

    List Org Tokens

    GET /api/orgs/{orgName}/tokens

    Retrieves all access tokens created for an organization. Organization tokens provide CI/CD automation access scoped to the organization rather than tied to individual user accounts. The response includes token metadata such as name, description, creation date, last used date, and expiration status. The actual token values are never returned after initial creation. An optional filter parameter can include expired tokens in the results.

    Request Parameters

    • orgName string path required
      The organization name
    • filter string query optional
      Filter tokens by status (e.g., include expired tokens)

    Responses

    200 OK
    Schema: ListAccessTokensResponse
    • tokens array[AccessToken] required
      The list of access tokens
    • id string required
      Unique identifier for this access token.
    • name string required
      Human-readable name assigned to this access token.
    • description string required
      User-provided description of the token’s purpose.
    • created string required
      Timestamp when the token was created, in ISO 8601 format.
    • lastUsed integer required
      Unix epoch timestamp (seconds) when the token was last used. Zero if never used.
    • expires integer required
      Unix epoch timestamp (seconds) when the token expires. Zero if it never expires.
    • admin boolean required
      Whether this token has Pulumi Cloud admin privileges.
    • createdBy string required
      User.GitHubLogin of the user that created the access token
    • role AccessTokenRole optional
      Role associated with the token, if applicable

    Create Org Token

    POST /api/orgs/{orgName}/tokens

    Generates a new access token scoped to the organization for use in CI/CD pipelines and automated workflows. Organization tokens belong to the organization rather than individual users, ensuring that access is not disrupted when team members leave.

    The name field must be unique across the organization (including deleted tokens) and cannot exceed 40 characters. The expires field accepts a unix epoch timestamp up to two years from the present, or 0 for no expiry (default).

    Important: The token value in the response is only returned once at creation time and cannot be retrieved later. Audit logs for actions performed with organization tokens are attributed to the organization rather than an individual user.

    Request Parameters

    • orgName string path required
      The organization name
    • reason string query optional
      Audit log reason for creating this token

    Request Body

    Schema: CreateOrgAccessTokenRequest
    • description string required
      The description
    • name string required
      The name
    • admin boolean required
      Whether the entity has admin privileges
    • expires integer required
      The expiration time
    • roleID string optional
      The role identifier

    Responses

    200 OK
    Schema: CreateAccessTokenResponse
    • id string required
      The unique identifier
    • tokenValue string required
      The token value

    Delete Org Token

    DELETE /api/orgs/{orgName}/tokens/{tokenId}

    Permanently revokes and deletes an organization access token. Any CI/CD pipelines or automation using this token will immediately lose access to the organization’s resources. This action cannot be undone.

    Request Parameters

    • orgName string path required
      The organization name
    • tokenId string path required
      The access token identifier

    Responses

    204 No Content

    List Personal Tokens

    GET /api/user/tokens

    Returns all personal access tokens for the authenticated user. Web-session generated tokens (type ‘web’) are excluded from the results. Each token in the response includes its ID, description, and lastUsed timestamp. Use the filter query parameter to search tokens by name or description.

    Request Parameters

    • filter string query optional
      Filter tokens by name or description

    Responses

    200 OK
    Schema: ListAccessTokensResponse
    • tokens array[AccessToken] required
      The list of access tokens
    • id string required
      Unique identifier for this access token.
    • name string required
      Human-readable name assigned to this access token.
    • description string required
      User-provided description of the token’s purpose.
    • created string required
      Timestamp when the token was created, in ISO 8601 format.
    • lastUsed integer required
      Unix epoch timestamp (seconds) when the token was last used. Zero if never used.
    • expires integer required
      Unix epoch timestamp (seconds) when the token expires. Zero if it never expires.
    • admin boolean required
      Whether this token has Pulumi Cloud admin privileges.
    • createdBy string required
      User.GitHubLogin of the user that created the access token
    • role AccessTokenRole optional
      Role associated with the token, if applicable

    Create Personal Token

    POST /api/user/tokens

    Creates a new personal access token for the authenticated user. The request body includes a description for the token and an optional expiration time. The response includes the token ID and the tokenValue (prefixed with ‘pul-’). The token value is only returned once at creation time and cannot be retrieved later.

    Request Parameters

    • reason string query optional
      Tracks the context that triggered token creation (e.g., redirect URL or referral source)

    Request Body

    Schema: CreatePersonalAccessTokenRequest
    • description string required
      The description
    • expires integer required
      The expiration time

    Responses

    200 OK
    Schema: CreateAccessTokenResponse
    • id string required
      The unique identifier
    • tokenValue string required
      The token value

    Delete Personal Token

    DELETE /api/user/tokens/{tokenId}

    Permanently deletes a personal access token by its identifier. The token is immediately invalidated and can no longer be used for authentication. Returns 204 on success or 404 if the token does not exist.

    Request Parameters

    • tokenId string path required
      The access token identifier

    Responses

    204 No Content
    Errors: 404 Token