Overview
The Toku API uses Bearer token authentication. Every request must include a personal API token in theAuthorization header, along with a role type header specifying the permission context.
Getting Your API Token
1
Create a token
Call the The response includes your new API token. Store it securely — it cannot be retrieved again.
createUserApiToken endpoint with your existing session credentials, or ask a Toku administrator to provision one for you.2
Use the token
Include the token in every API request:
3
Refresh when needed
Tokens expire after 30 days. Refresh before expiry:
Required Headers
Role Types
Thex-role-type header determines what permissions your request has. Your API token must belong to a user with the specified role in the organization.
Token Scoping
Each API token is scoped to a single organization. If you manage multiple organizations, you need a separate token for each. The token inherits the permissions of the user who created it. If the user’s role is revoked, the token stops working.Security Best Practices
- Never expose tokens in client-side code — API tokens should only be used in server-to-server communication
- Rotate tokens regularly — use
refreshUserApiTokento get a new token before the current one expires - Use the minimum required role — if your integration only needs to read grants, consider using a role with read-only access
- Monitor usage — Toku logs all API access by token for audit purposes
