Skip to content

API Tokens

Personal access tokens (the API tokens in your profile settings) authenticate API requests on your behalf. Each token carries read and write scopes, giving full access to all API endpoints your account can reach.

Personal token vs. project token

A personal token is tied to you and reaches the general API your account can access — but not the report or error-event submission endpoints, which require a project token. A project token is tied to one project and carries one or more narrow abilities: submit reports, ingest error events, or read project data.

Creating a Token

Tokens are managed from your profile settings in the kendo app. When you create a token, the plain-text value is shown only once — copy and store it in a secure location. It cannot be retrieved later.

You can revoke or delete tokens at any time from the same settings page.

Using Your Token

Include the token in the Authorization header of all API requests:

bash
curl https://{tenant}.kendo.dev/api/projects \
  -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9..."

Token Scopes

ScopeDescription
readRead access to all resources you have permission for
writeWrite access to all resources you have permission for

Personal tokens always receive both read and write scopes. The scope middleware enforces:

  • Safe methods (GET, HEAD, OPTIONS) — require read or write
  • Unsafe methods (POST, PUT, PATCH, DELETE) — require write

Your token inherits the same role-based permissions as your account. If you can't access a project in the UI, you can't access it with a token either.

See Also