Skip to main content
POST
/
auth
/
pats
Create Personal Access Token
curl --request POST \
  --url https://api.dfns.io/auth/pats \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --header 'X-DFNS-USERACTION: <api-key>' \
  --data '
{
  "name": "<string>",
  "publicKey": "<string>",
  "permissionId": "pm-37vj4-jkr4l-lc9945spfftkne57",
  "externalId": "<string>",
  "daysValid": 123,
  "secondsValid": 123
}
'
{
  "accessToken": "<string>",
  "dateCreated": "2023-04-14T20:41:28.715Z",
  "credId": "<string>",
  "isActive": true,
  "linkedUserId": "us-6b58p-r53sr-rlrd3l5cj3uc4ome",
  "linkedAppId": "ap-2a9in-tt2a1-983lho480p35ejd0",
  "name": "<string>",
  "orgId": "or-30tnh-itmjs-s235s5ontr3r23h2",
  "publicKey": "<string>",
  "tokenId": "to-202a0-cdo33-o65mbt6q758lvvnt",
  "permissionAssignments": [
    {
      "permissionName": "<string>",
      "permissionId": "pm-37vj4-jkr4l-lc9945spfftkne57",
      "assignmentId": "as-1vcmc-qrek0-6b4vii9pln60907e",
      "operations": [
        "<string>"
      ]
    }
  ]
}

Authentication

✅ Organization User (CustomerEmployee)
✅ Delegated User (EndUser)
❌ Personal Access Token not allowed
❌ Service Account

Required Permissions

Auth:Pats:Create: Always required.

Authorizations

Authorization
string
header
required

Bearer Token: Used to authenticate API requests. More details how to generate the token: Authentication flows

X-DFNS-USERACTION
string
header
required

User Action Signature: Used to sign the change-inducing API requests. More details how to generate the token: User Action Signing flows

Body

application/json
name
string
required

Human-readable name of the Personal Access Token.

Minimum string length: 1
publicKey
string
required
Pattern: ^-----BEGIN (RSA )?PUBLIC KEY-----[A-Za-z0-9+/=\n\r\\]+-----END (RSA )?PUBLIC KEY-----\s?$
permissionId
string

ID of the permission (also referred to as "role" in the dashboard).

Required string length: 1 - 64
Pattern: ^pm-[a-z0-9]{5}-[a-z0-9]{5}-[a-z0-9]{14,16}$
Example:

"pm-37vj4-jkr4l-lc9945spfftkne57"

externalId
string

Value that can be used to correlate the entity with an external system.

daysValid
integer

Number of days the token will be valid for.

secondsValid
integer

Number of seconds the token will be valid for.

Response

200 - application/json

Success

accessToken
string
required

The access token. Only returned at creation time.

dateCreated
string<date-time>
required

ISO 8601 date (must be UTC). Date the access token was created.

Example:

"2023-04-14T20:41:28.715Z"

credId
string
required

ID of the credential associated with the access token.

isActive
boolean
required

Whether the access token is active.

kind
enum<string>
required
Available options:
Pat,
ServiceAccount,
Token,
Code,
Recovery,
Temp,
Application
linkedUserId
string
required

User id.

Required string length: 1 - 64
Pattern: ^us-[a-z0-9]{5}-[a-z0-9]{5}-[a-z0-9]{14,16}$
Example:

"us-6b58p-r53sr-rlrd3l5cj3uc4ome"

linkedAppId
string
required

ID of the application the access token is linked to.

Required string length: 1 - 64
Pattern: ^ap-[a-z0-9]{5}-[a-z0-9]{5}-[a-z0-9]{14,16}$
Example:

"ap-2a9in-tt2a1-983lho480p35ejd0"

name
string
required

Human-readable name of the access token.

orgId
string
required

Organization id.

Required string length: 1 - 64
Pattern: ^or-[a-z0-9]{5}-[a-z0-9]{5}-[a-z0-9]{14,16}$
Example:

"or-30tnh-itmjs-s235s5ontr3r23h2"

publicKey
string
required

Public key associated with the access token.

tokenId
string
required

Token id.

Required string length: 1 - 64
Pattern: ^to-[a-z0-9]{5}-[a-z0-9]{5}-[a-z0-9]{14,16}$
Example:

"to-202a0-cdo33-o65mbt6q758lvvnt"

permissionAssignments
object[]
required

Permissions (roles) assigned to the access token.

Last modified on June 25, 2026