Skip to main content

Assistant Tokens

Endpoints for managing API tokens scoped to specific assistants.

GET /api/assistants/{id}/tokens

List API tokens for an assistant.

Authentication: Required (AI seat)

Response:

{
  "_links": {
    "self": { "href": "/api/assistants/{id}/tokens" }
  },
  "_embedded": {
    "inf:assistant-token": [
      {
        "id": "token-123",
        "assistantId": "team:sales-assistant",
        "username": "admin",
        "type": "assistant",
        "notes": "Production API integration",
        "token": "i5t_assistant_token_value",
        "readOnly": false,
        "createdAt": "2024-01-15T10:00:00Z",
        "_links": {
          "self": { "href": "/api/tokens/token-123" }
        }
      }
    ]
  },
  "start": 0,
  "count": 1,
  "total": 1
}
Token Visibility

The token value is only shown in creation responses. Listing tokens does NOT reveal the token value for security.

Creating Assistant Tokens

To create a token for an assistant, use the general tokens endpoint:

POST /api/tokens
{
  "type": "assistant",
  "assistantId": "team:sales-assistant",
  "notes": "Token for external API access"
}

See Auth API - Tokens for full token management documentation.

Use Cases

External Integrations

Allow external systems to interact with a specific assistant:

// External app using assistant token
const response = await fetch('https://app.example.com/api/chats', {
  method: 'POST',
  headers: {
    'Authorization': 'Bearer i5t_assistant_token_value',
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    assistantId: 'team:sales-assistant',
    message: { role: 'user', content: 'Show me top deals' }
  })
});

Webhook Callbacks

Provide assistant-scoped tokens to webhooks for secure callbacks.

Mobile Apps

Distribute assistant-specific tokens to mobile applications for focused functionality.

Security Considerations

  • Scope Limitation - Tokens are limited to the specific assistant
  • Rotation - Regularly rotate tokens for production use
  • Revocation - Delete compromised tokens immediately
  • Read-Only Option - Use readOnly: true when write access isn't needed
Token Security

Treat assistant tokens like passwords. Never commit them to version control or expose them in client-side code.