Steps to generate a Service Token

The creation flow looks like this:
  1. Navigate to Settings → Service Tokens.
  2. Click Create Service Token.
  3. Name your token, add relevant Groups, and enter a Description.
  4. Copy the token now—you won’t be able to view it again.
💡 Note: Tokens can be refreshed (regenerated) at any time without changing the Token ID or its assigned scopes.

Refreshing a Service Token

If you need a new JWT (e.g. a token was compromised or lost):
  1. Find the token in the list and click Refresh.
  2. Confirm the action.
  3. Copy the new token immediately—you won’t see it again.
⚠️ Refreshing does not change the Token ID, Groups, or expiry date.

Best Practices & Security

  • Short‑Lived Issue tokens with the minimal necessary lifespan; avoid indefinite (zero‑expiry) tokens.
  • Least Privilege Assign only the Groups (scopes) required for the service’s functionality.
  • Secure Storage Keep JWTs in an encrypted vault (e.g. AWS Secrets Manager, HashiCorp Vault).
  • Rotate Regularly Refresh tokens before expiry to limit the impact of a leak.
  • Monitor Usage Audit token use in your logs; alert on anomalous patterns (e.g. unexpected IPs, spikes in errors).
  • Immediate Blacklisting Revoke any token immediately upon suspicion of compromise.