API Tokens
This topic describes the distinct types of API tokens you can use to authenticate with HCP Terraform.
Note that HCP Terraform only displays API tokens once when you initially create them and are obfuscated thereafter. If the token is lost, it must be regenerated.
Refer to Team Token API and Organization Token API for additional information about using the APIs.
User API Tokens
API tokens may belong directly to a user. User tokens are the most flexible token type because they inherit permissions from the user they are associated with. For more information on user tokens and how to generate them, see the Users documentation.
Team API Tokens
API tokens may belong to a specific team. Team API tokens allow access to the workspaces that the team has access to, without being tied to any specific user.
Navigate to the Organization settings > API Tokens > Team Token tab to manage API tokens for a team or create new team tokens.
Each team can have one valid API token at a time. When a token is regenerated, the previous token immediately becomes invalid.
Owners and users with manage teams permissions have the ability to enable and disable team token management for a team, which limits the actions that team members can take on a team token. Refer to Allow Member Token Management for more information.
Team API tokens are designed for performing API operations on workspaces. They have the same access level to the workspaces the team has access to. For example, if a team has permission to apply runs on a workspace, the team's token can create runs and configuration versions for that workspace via the API. (More about permissions.)
Note that the individual members of a team can usually perform actions the team itself cannot, since users can belong to multiple teams, can belong to multiple organizations, and can authenticate with Terraform's atlas
backend for running Terraform locally.
If an API token is generated for the "owners" team, then that API token will have all of the same permissions that an organization owner would.
Organization API Tokens
API tokens may be generated for a specific organization. Organization API tokens allow access to the organization-level settings and resources, without being tied to any specific team or user.
To manage the API token for an organization, go to Organization settings > API Token and use the controls under the "Organization Tokens" header.
Each organization can have one valid API token at a time. Only organization owners can generate or revoke an organization's token.
Organization API tokens are designed for creating and configuring workspaces and teams. We don't recommend using them as an all-purpose interface to HCP Terraform; their purpose is to do some initial setup before delegating a workspace to a team. For more routine interactions with workspaces, use team API tokens.
Organization API tokens have permissions across the entire organization. They can perform all CRUD operations on most resources, but have some limitations; most importantly, they cannot start runs or create configuration versions. Any API endpoints that can't be used with an organization API token include a note like the following:
Note: This endpoint cannot be accessed with organization tokens. You must access it with a user token or team token.
Agent API Tokens
Agent pools have their own set of API tokens which allow agents to communicate with HCP Terraform, scoped to an organization. These tokens are not valid for direct usage in the HCP Terraform API and are only used by agents.
Access Levels
The following chart illustrates the various access levels for the supported API token types. Some permissions are implicit based on the token type, others are dependent on the permissions of the associated user, team, or organization.
🔵 = Implicit for token type 🔶 = Requires explicit permission
User tokens | Team tokens | Organization tokens | |
---|---|---|---|
Users | |||
Manage account settings | 🔵 | ||
Manage user tokens | 🔵 | ||
Workspaces | |||
Read workspace variables | 🔶 | 🔶 | 🔵 |
Write workspace variables | 🔶 | 🔶 | 🔵 |
Plan, apply, upload states | 🔶 | 🔶 | |
Force cancel runs | 🔶 | 🔶 | |
Create configuration versions | 🔶 | 🔶 | |
Create or modify workspaces | 🔶 | 🔶 | 🔵 |
Remote operations | 🔶 | 🔶 | |
Manage run triggers | 🔶 | 🔶 | 🔵 |
Manage notification configurations | 🔶 | 🔶 | |
Manage run tasks | 🔶 | 🔶 | 🔵 |
Teams | |||
Create teams | 🔶 | 🔶 | 🔵 |
Modify team | 🔶 | 🔶 | 🔵 |
Read team | 🔶 | 🔶 | 🔵 |
Manage team tokens | 🔶 | 🔶 | 🔵 |
Manage team workspace access | 🔶 | 🔶 | 🔵 |
Manage team membership | 🔶 | 🔶 | 🔵 |
Organizations | |||
Create organizations | 🔵 | ||
Modify organizations | 🔶 | ||
Manage organization tokens | 🔶 | ||
View audit trails | 🔵 | ||
Invite users to organization | 🔶 | 🔶 | 🔵 |
Sentinel | |||
Manage Sentinel policies | 🔶 | 🔶 | 🔵 |
Manage policy sets | 🔶 | 🔶 | 🔵 |
Override policy checks | 🔶 | 🔶 | |
Integrations | |||
Manage VCS connections | 🔶 | 🔶 | 🔵 |
Manage SSH keys | 🔶 | 🔶 | |
Manage run tasks | 🔶 | 🔶 | 🔵 |
Modules | |||
Manage Terraform modules | 🔶 | 🔵 (owners) |
Token Expiration
You can create user, team, and organization tokens with an expiration date and time. Once the expiration time has passed, the token is longer treated as valid and may not be used to authenticate to any API. Any API requests made with an expired token will fail.
HashiCorp recommends setting an expiration on all new authentication tokens. Creating tokens with an expiration date helps reduce the risk of accidentally leaking valid tokens or forgetting to delete tokens meant for a delegated use once their intended purpose is complete.
You can not modify the expiration of a token once you have created it. The HCP Terraform UI displays tokens relative to the current user's timezone, but all tokens are passed and displayed in UTC in ISO 8601 format through the HCP Terraform API.