Personal access tokens (PATs)

Personal access tokens (PATs) tie API access to a specific user in a specific workspace. The token acts as that user, permissions and scopes both apply.

Creating a token

• Open Workspace Settings → Integrations.

• Expand API Access Tokens.

• Click Create token, enter a name, choose scopes, and set expiry.

• Copy the secret immediately, it is shown only once.

Token format

• Prefix: elv_pat_ followed by a random secret.

• Send as: Authorization: Bearer elv_pat_…

• Only a SHA-256 hash is stored server-side; the full token cannot be retrieved later.

• The first 16 characters are saved as a prefix so you can identify tokens in the UI.

Who can create tokens

You can create a token if you are a workspace admin or have the settings.integrations create permission (Integrations in workspace settings).

Expiry

• Default expiry is 90 days when creating a token.

• Never expires is available only to workspace admins.

• Expired or revoked tokens return 401 Unauthorized.

Listing and revoking

• Workspace admins see all active tokens in the workspace; other users see only their own.

• You can revoke your own token; admins can revoke any token in the workspace.

• Revocation is immediate, existing integrations stop working on the next request.

Membership

If the user who created the token is removed from the workspace, the token stops working even if it has not expired.

Security best practices

• Grant the minimum scopes your integration needs (read-only when possible).

• Never commit tokens to source control or share them in chat.

• Prefer expiring tokens over never-expire unless required.

• Revoke and recreate tokens if you suspect compromise.

• Use a descriptive token name (e.g. Zapier – sales pipeline) for audit clarity.