Versions Compared

Version Old Version 1 New Version 2
Changes made by

Darcy Carrie

Darcy Carrie

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Personal access tokens function similar to session tokens and can be used by integrations to authenticate against the REST API. It is the most commonly used type of token for integrations.

Creating a Personal Access Token

1 - Enable personal access tokens in System Console > Integrations > Custom Integrations.

...

9 - You’re all set! You can now use the personal access token for integrations to interact with your Mattermost server and authenticate against the Mattermost REST API.

Revoking a Personal Access Token

A personal access token can be revoked by deleting the token from either the user’s account settings or from the System Console. Once deleted, all sessions using the token are deleted, and any attempts to use the token to interact with the Mattermost server are blocked.

Tokens can also be temporarily deactivated from the user’s account settings. Once deactivated, all sessions using the token are deleted, and any attempts to use the token to interact with the Mattermost server are blocked. However, the token can be reactivated at any time.

Account Settings

1 - Sign in to the user account and go to Account Settings > Security > Personal Access Tokens.

2 - Identify the access token you want to revoke and hit Delete. Confirm the deletion.

System Console

1 - Go to System Console > Users, search for the user account which the token belongs to, and select Manage Tokens from the dropdown.

2 - Identify the access token you want to revoke and hit Delete. Confirm the deletion.

Frequently Asked Questions (FAQ)

How do personal access tokens differ from regular session tokens?

  • Personal access tokens do not expire. As a result, you can more easily integrate with Mattermost, bypassing the session length limits set in the System Console.
  • Personal access tokens can be used to authenticate against the API more easily, including with AD/LDAP and SAML accounts.
  • You can optionally assign additional roles for the account creating personal access tokens. This lets the account post to any channel in Mattermost, including direct messages.

Besides the above differences, personal access tokens are exactly the same as regular session tokens. They are cryptic random IDs and are not different from a user’s regular session token created after logging in to Mattermost.

Can I set personal access tokens to expire?

Not in Mattermost, but you can automate your integration to cycle its token through the REST API.

How do I identify a badly behaving personal access token?

Best option is to go to System Console > Logs and finding error messages relating to a particular token ID.

Once identified, you can search which user account the token ID belongs to in System Console > Users and revoke it through the Manage Tokens dropdown option.

Do personal access tokens continue to work if the user is deactivated?

No. The session used by the personal access token is revoked immediately after a user is deactivated, and a new session won’t be created.

...