Skip to main content

Rotate and Revoke Tokens

Replace or remove API tokens when they are compromised, expired, or no longer needed. The platform does not have a one-click rotate button -- you delete the old token and create a new one.

Prerequisites

  • You are signed in to the XpressAI Platform.
  • You have at least one existing API token.

Steps

Revoke a token

  1. Navigate to the Tokens section from the sidebar.
  2. Find the token you want to revoke.
  3. Click Delete.
  4. Confirm the deletion.

The token is immediately invalidated. Any API request using this token will return an authentication error.

Rotate a token

Rotation is a two-step process: delete the old token, then create a new one.

  1. Delete the old token following the revoke steps above.
  2. Create a new token with the same name and scopes (see Create a Platform API Token).
  3. Update all clients that use the old token with the new token value.
warning

There is a brief window between deleting the old token and updating your clients with the new one. During this time, API requests from those clients will fail. Plan token rotations during low-traffic periods if possible.

tip

Keep a record of which systems use each token. This makes rotation faster because you know exactly which clients need updating.

Verify

  • The old token no longer appears in the Tokens list.
  • API requests using the old token return an authentication error.
  • The new token is listed and API requests using it succeed.
  • All clients have been updated and are functioning with the new token.