P4A Documentation
APIs

Personal access tokens

Create and manage personal access tokens that let agentic clients and scripts act on your behalf in P4A.

Overview

A personal access token (PAT) is a secret credential that lets an external client call P4A on your behalf without your password — an agentic client such as Claude Code, a script, or a direct API call. Each token carries a name, a set of scopes that limit what it can do, and an optional expiry. You manage your tokens from the Settings page in the dashboard.

A token acts as you: anything it does is attributed to your account and limited to what you can already access. Treat a token like a password.

Opening the Settings page

Open Settings from the dashboard sidebar. The Personal Access Tokens card lists every token you have created, with its name, a short prefix for identification, its scopes, and when it was last used.

Settings page showing the Personal Access Tokens card with a list of existing tokens and a New Token button

Creating a token

  1. Click New Token.
  2. Give the token a name that tells you where it will be used — for example, "My laptop's CLI".
  3. Choose the scopes the token may use (see below).
  4. Pick an expiry: 30, 90, or 365 days, or Never. A token that expires is safer; pick the shortest window that still works for you.
  5. Click Create Token.

Create token dialog with a name field, scope checkboxes, and an expiry selector

Copy the token now

When the token is created, P4A shows the full secret value once. Copy it immediately and store it somewhere safe — a password manager or your client's configuration. P4A never stores the secret in a form it can show again, so if you lose it you must create a new one.

Reveal dialog showing the newly created token value with a copy button and a warning that it will not be shown again

Scopes

Scopes limit what a token can do, so you can hand a client only the access it needs.

Scopes name the level of access, not the client — the same token works for an agentic client, a script, or direct API calls.

ScopeGrants
api:readSearch the catalog, read documentation, and list your deployments, connections, submissions, and workspaces.
api:writeSubmit and deploy policies, rename and delete connections, create and manage workspaces.

Pick the narrowest set that covers your use. A read-only client never needs api:write.

Revoking a token

If a token is no longer needed — or you suspect it has leaked — revoke it. Find it in the list and click the trash-can icon, then confirm. Revoking takes effect immediately: any client still using that token stops working at once. Revocation cannot be undone; create a new token if you need access again.

If you think a token has been exposed, revoke it right away and create a replacement. A leaked token can do anything you can do, within its scopes.

Connecting an MCP client

The most common use of a token is connecting an agentic client to P4A's hosted MCP server. See Connecting a client for the endpoint, per-client config snippets, and What the client can do for the full tool list.

Calling the REST API directly

A token also works against the REST API directly — send it as a Bearer credential and call any documented endpoint:

curl https://www.p4a.dev/api/policies \
  -H "Authorization: Bearer p4a_xxxxxxxxxxxxxxxxxxxxxxxx"

The one exception is creating a token itself: that endpoint requires a signed-in browser session and rejects tokens, because a token cannot mint another token. Create tokens from the Settings page above, not from the API.

The REST API reference lists every endpoint a token can reach, with method, path, required scope, request and response shapes, and an interactive playground. You can also download the OpenAPI spec to import into Postman, Insomnia, or a code generator.

References

On this page