--- title: "Access Tokens" description: "Manage API access tokens for Autheona email validation. Create, view, and revoke tokens with expiration options. Learn token security best practices, rotation strategies, and authentication management." keywords: "api access tokens, authentication tokens, token management, api keys, token security, token expiration, token rotation, revoke tokens, api authentication, bearer tokens" robots: index, follow permalink: /docs/platform/access-tokens/ order: 5 category: Platform layout: docs.html --- # Access Tokens Access tokens are required to authenticate API calls to Autheona. Each project can have multiple access tokens with different expiration dates. ## What Are Access Tokens Access tokens are credentials that authorize your application to call the Autheona API for a specific project. Each token is unique and tied to a single project. **Important Security Notes:** - Tokens are only shown once at creation - Store tokens securely (use environment variables) - Never expose tokens in frontend code - Never commit tokens to version control ## Creating an Access Token 1. Open your project page 2. Click the Settings button 3. Navigate to the Access Tokens section 4. Click the Create Token button 5. A modal appears with two fields: - **Expiration Date** - Choose from: - 30 days - 90 days - 365 days - Never expire - **Description** - Optional note about token usage (e.g., "Production Server", "Testing Environment") 6. Click create 7. **Copy the token immediately** - This is the only time you will see it After closing the creation modal, the token appears in the token list but the actual token value is hidden. ## Token Details You Cannot Change After creating a token, you cannot modify: - Expiration date - Description If you need different settings, create a new token and revoke the old one. ## Viewing Access Tokens In the Access Tokens section, you can see: - Token description - Creation date - Expiration date - Last used date (if applicable) The actual token value is never displayed again after creation. ## Revoking an Access Token If a token is compromised or no longer needed: 1. Go to Access Tokens section in project settings 2. Find the token in the list 3. Click the Revoke button 4. Confirm revocation **Revoked tokens:** - Stop working immediately - Cannot be recovered - Are permanently deleted - Break any integrations using that token ## Token Limits There is no limit on the number of access tokens you can create per project. ## Best Practices - Create separate tokens for different environments (development, staging, production) - Use descriptive names in the description field - Set expiration dates for tokens used in temporary or testing scenarios - Use "never expire" only for production tokens - Rotate tokens periodically for security - Revoke unused tokens immediately ## If You Lose a Token There is no way to recover a lost token. You must: 1. Create a new access token 2. Update your application with the new token 3. Revoke the lost token (if you remember which one it was)