Manage API token lifecycle
Create, rotate, disable, and delete API tokens while maintaining secure, zero-downtime integrations.
15 minute read
API tokens authenticate requests to DigiCert® ONE APIs. Depending on their configuration, tokens either expire on a set date or remain active until manually revoked. In this tutorial, you’ll learn how to manage the full token lifecycle using a zero-downtime approach.
Best practice
To reduce credential risk and avoid service disruptions, follow service user and token management best practices: use one service user per integration, apply least privilege, configure token expiration when supported, and rotate tokens with overlap. For details, see Best practices for service users and API tokens.In this tutorial, you will:
- Retrieve your user ID to identify which tokens belong to you.
- List your existing API tokens to audit their status and expiration dates.
- Create a new API token with a descriptive name and expiration date.
- Inspect the new token by ID to confirm its settings.
- Disable the old token to stop its use without deleting it.
- Delete the disabled token to complete the rotation.
Before you begin
Before you begin, make sure you have:
A DigiCert ONE account with Account Manager access.
An existing API token to authenticate the initial requests. Any DigiCert ONE user role (
AM_DEFAULT_USER, AM_ACCOUNT_USER, AM_ACCOUNT_MANAGER, or AM_ACCOUNT_ADMIN) includes the ability to manage your own API tokens. To manage service user tokens, you need access to the service user’s account.Your API token value stored securely. You will use it in the
X-API-Key request header.cURL or an equivalent HTTP client installed. Use
curl --version to verify.Endpoint overview
| Method | Path | Description |
|---|---|---|
| GET | /account/api/v1/user/{user_id} | Get current user details |
| GET | /account/api/v1/api-access-token | List API tokens for a user |
| POST | /account/api/v1/api-access-token | Create a new API token |
| GET | /account/api/v1/api-access-token/{id} | Get API token by ID |
| PUT | /account/api/v1/api-access-token/{id} | Update or disable an API token |
| DELETE | /account/api/v1/api-access-token/{id} | Delete an API token |
Step 1: Retrieve your user ID
The Account Manager API requires a user_id query parameter to list tokens. Use the special value me as the {user_id} path parameter to retrieve your own user details and get your user ID.
Request:
curl -X GET "https://demo.one.digicert.com/account/api/v1/user/me" \
-H "x-api-key: USER_API_TOKEN" | jq '.'import requests
# Configuration
BASE_URL = "https://demo.one.digicert.com"
USER_API_TOKEN = "USER_API_TOKEN"
me = "me"
response = requests.get(
f"{BASE_URL}/account/api/v1/user/{me}",
headers={"x-api-key": USER_API_TOKEN}
)
print(f"Status Code: {response.status_code}")
print(response.json())import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
public class ApiExample {
public static void main(String[] args) throws Exception {
// Configuration
String baseUrl = "https://demo.one.digicert.com";
String userApiToken = "USER_API_TOKEN";
String me = "me";
// Send request
HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create(baseUrl + "/account/api/v1/user/" + me))
.header("x-api-key", userApiToken)
.GET()
.build();
HttpResponse<String> response = client.send(
request,
HttpResponse.BodyHandlers.ofString()
);
System.out.println("Status Code: " + response.statusCode());
System.out.println(response.body());
}
}using System;
using System.Net.Http;
using System.Threading.Tasks;
class Program
{
static async Task Main(string[] args)
{
// Configuration
string baseUrl = "https://demo.one.digicert.com";
string userApiToken = "USER_API_TOKEN";
string me = "me";
// Send request
using var client = new HttpClient();
client.DefaultRequestHeaders.Add("x-api-key", userApiToken);
var response = await client.GetAsync($"{baseUrl}/account/api/v1/user/{me}");
string responseBody = await response.Content.ReadAsStringAsync();
Console.WriteLine($"Status Code: {(int)response.StatusCode}");
Console.WriteLine(responseBody);
}
}Replace {user_id} with me to get details for the currently authenticated user.
Successful response (200 OK):
{
"id": "6792e182-4b96-4a2e-9061-14741be4234e",
"email": "jane@example.com",
"status": "ACTIVE",
"access_scope": "account",
"primary_account_id": "d6a3938c-f044-4092-b7f8-1804ae8e4efc",
"created_at": "2021-06-23T08:55:19Z",
"created_by": "5092c936-a5be-4c22-8bec-a649deef2c55",
"user_type": "service",
"friendly_name": "Example service user",
"description": "",
"locale": "en_US",
"applications": [
{
"id": "360348d9-1c3a-49fa-b82d-109ec552fd9f",
"name": "Trust Lifecycle",
"permissions": [
"VIEW_EM_SEAT",
"VIEW_EM_AUDIT_LOG",
"VIEW_EM_CERTIFICATE",
"VIEW_EM_PROFILE"
]
},
{
"id": "c46187a2-243b-41a9-aedc-0518ab1b6cf6",
"name": "IoT Trust",
"permissions": [
"VIEW_IOT_CERTIFICATE",
"VIEW_IOT_ENROLLMENT_PROFILE"
]
},
{
"id": "7e919d8a-07b2-44ee-96a0-9c2e1455e469",
"name": "Document Trust",
"permissions": [
"MANAGE_DSM_VIEW_CERTIFICATE_PROFILES",
"MANAGE_DSM_ADD_VALIDATIONS",
"MANAGE_DSM_VIEW_CERTIFICATE_TEMPLATES",
"MANAGE_DSM_VIEW_VALIDATIONS"
]
},
{
"id": "6510a754-e47b-48c5-88cb-1cd677e801ce",
"name": "Account Manager",
"permissions": [
"MANAGE_AM_ACCOUNT",
"VIEW_AM_AUDIT_LOG"
]
},
{
"id": "e70323fa-6014-42f3-a669-22645606d1fd",
"name": "CA Manager",
"permissions": [
"VIEW_CM_LICENSE"
]
},
{
"id": "a7081787-1dd8-492a-9c90-26ef079a7eb1",
"name": "Software Trust",
"permissions": [
"MANAGE_SM_CERTIFICATE_PROFILE",
"VIEW_SM_CERTIFICATE",
"SIGN_SM_HASH"
]
}
],
"accounts": [
{
"id": "e14c40ed-6827-405f-afc9-c34051dd26e9",
"name": "Example account",
"active": true,
"service_period": {
"from": "2021-05-06",
"to": "2030-05-06"
},
"friendly_identifier": "1234567",
"locale": "en_US"
}
]
}
From the response, note the id field. This is your user ID in UUID format. Confirm the status field is ACTIVE. Save the id value. You will need this in the next step when you list your existing tokens.
Step 2: List your existing API tokens
Before creating a new token, review your existing tokens to understand what is currently active. This step helps you identify tokens approaching expiration and determine which token to rotate.
Request:
curl -X GET "https://demo.one.digicert.com/account/api/v1/api-access-token?user_id=USER_ID" \
-H "x-api-key: USER_API_TOKEN" | jq '.'import requests
# Configuration
BASE_URL = "https://demo.one.digicert.com"
USER_API_TOKEN = "USER_API_TOKEN"
# Query parameters
USER_ID = "USER_ID"
response = requests.get(
f"{BASE_URL}/account/api/v1/api-access-token",
headers={"x-api-key": USER_API_TOKEN},
params={"user_id": USER_ID}
)
print(f"Status Code: {response.status_code}")
print(response.json())import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
public class ApiExample {
public static void main(String[] args) throws Exception {
// Configuration
String baseUrl = "https://demo.one.digicert.com";
String userApiToken = "USER_API_TOKEN";
// Query parameters
String userId = "USER_ID";
// Send request
HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create(baseUrl + "/account/api/v1/api-access-token" + "?user_id=" + userId))
.header("x-api-key", userApiToken)
.GET()
.build();
HttpResponse<String> response = client.send(
request,
HttpResponse.BodyHandlers.ofString()
);
System.out.println("Status Code: " + response.statusCode());
System.out.println(response.body());
}
}using System;
using System.Net.Http;
using System.Threading.Tasks;
class Program
{
static async Task Main(string[] args)
{
// Configuration
string baseUrl = "https://demo.one.digicert.com";
string userApiToken = "USER_API_TOKEN";
// Query parameters
string userId = "USER_ID";
// Send request
using var client = new HttpClient();
client.DefaultRequestHeaders.Add("x-api-key", userApiToken);
var response = await client.GetAsync($"{baseUrl}/account/api/v1/api-access-token?user_id={userId}");
string responseBody = await response.Content.ReadAsStringAsync();
Console.WriteLine($"Status Code: {(int)response.StatusCode}");
Console.WriteLine(responseBody);
}
}Replace the user_id query parameter value with the id from Step 1.
Successful response (200 OK):
[
{
"id": "7b5d83e7-6e5f-4ade-ad48-111c6f3420f7",
"user_id": "e7ea1214-d688-48ba-aa1b-131fb2867ac5",
"name": "API token name",
"end_date": "2022-05-30T23:59:59Z",
"start_date": "2021-06-25T21:20:06Z",
"active": true,
"enabled": true,
"masked_api_key": "*************9e2a1"
}
]
The response returns an array of token objects. Each object includes the name, active and enabled status flags, start_date, end_date (if set), and masked_api_key (for example, *************0f8db).
The list endpoint never returns the full token value. Only the masked version. Review the end_date and enabled fields to identify tokens approaching expiration. Save the id of the token you plan to rotate out. You will need this in Step 5: Disable the old token when you disable it.
Step 3: Create a new API token
Now that you know what tokens exist, create a new one. You can set a name to identify the token and an optional end_date to enforce automatic expiration. Always setting an expiration date limits exposure if a token is compromised.
Request:
curl -X POST "https://demo.one.digicert.com/account/api/v1/api-access-token" \
-H "x-api-key: USER_API_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "My API token",
"end_date": "2025-12-31T23:59:59Z",
"user_id": "USER_ID"
}' | jq '.'import requests
# Configuration
BASE_URL = "https://demo.one.digicert.com"
USER_API_TOKEN = "USER_API_TOKEN"
# Request details
NAME = "My API token"
END_DATE = "2025-12-31T23:59:59Z"
USER_ID = "USER_ID"
payload = {
"name": NAME,
"end_date": END_DATE,
"user_id": USER_ID,
}
response = requests.post(
f"{BASE_URL}/account/api/v1/api-access-token",
headers={
"x-api-key": USER_API_TOKEN,
"Content-Type": "application/json"
},
json=payload
)
print(f"Status Code: {response.status_code}")
print(response.json())import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.node.ObjectNode;
public class ApiExample {
public static void main(String[] args) throws Exception {
// Configuration
String baseUrl = "https://demo.one.digicert.com";
String userApiToken = "USER_API_TOKEN";
// Request details
String name = "My API token";
String endDate = "2025-12-31T23:59:59Z";
String userId = "USER_ID";
// Build payload
ObjectMapper mapper = new ObjectMapper();
ObjectNode payload = mapper.createObjectNode();
payload.put("name", name);
payload.put("end_date", endDate);
payload.put("user_id", userId);
// Send request
HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create(baseUrl + "/account/api/v1/api-access-token"))
.header("x-api-key", userApiToken)
.header("Content-Type", "application/json")
.POST(HttpRequest.BodyPublishers.ofString(mapper.writeValueAsString(payload)))
.build();
HttpResponse<String> response = client.send(
request,
HttpResponse.BodyHandlers.ofString()
);
System.out.println("Status Code: " + response.statusCode());
System.out.println(response.body());
}
}using System;
using System.Net.Http;
using System.Text;
using System.Text.Json.Nodes;
using System.Threading.Tasks;
class Program
{
static async Task Main(string[] args)
{
// Configuration
string baseUrl = "https://demo.one.digicert.com";
string userApiToken = "USER_API_TOKEN";
// Request details
string name = "My API token";
string endDate = "2025-12-31T23:59:59Z";
string userId = "USER_ID";
// Build payload
var payload = new JsonObject
{
["name"] = name,
["end_date"] = endDate,
["user_id"] = userId
};
// Send request
using var client = new HttpClient();
client.DefaultRequestHeaders.Add("x-api-key", userApiToken);
var content = new StringContent(
payload.ToJsonString(),
Encoding.UTF8,
"application/json"
);
var response = await client.PostAsync($"{baseUrl}/account/api/v1/api-access-token", content);
string responseBody = await response.Content.ReadAsStringAsync();
Console.WriteLine($"Status Code: {(int)response.StatusCode}");
Console.WriteLine(responseBody);
}
}Set the following fields in the request body:
name(required): A descriptive name for the token. The name must be unique across your tokens and can contain letters, numbers, spaces, dashes, and underscores. Use a name that identifies the token’s purpose, such asci-pipeline-prod-2026Q2orcert-rotation-service.end_date: The expiration date in ISO 8601 format:YYYY-MM-DDTHH:MM:SSTZD. For example,2026-09-30T23:59:59Zsets the token to expire on September 30, 2026 at 23:59:59 UTC. If you omitend_date, the token never expires.user_id: Including this field allows you to create a token for the specified service user instead of yourself.
Important
A successful response returns the API token value only once. Copy and store thetoken field immediately in a secure location such as a secrets manager or vault. If you lose this value, you cannot retrieve it. You must delete the token and create a new one.Successful response (201 Created):
{
"id": "7b5d83e7-6e5f-4ade-ad48-111c6f3420f7",
"user_id": "e7ea1214-d688-48ba-aa1b-131fb2867ac5",
"name": "My API token",
"token": "api-token-string",
"end_date": "2025-12-31T23:59:59Z",
"start_date": "2024-12-03T21:20:06Z",
"active": true,
"enabled": true,
"masked_api_key": "*************9e2a1"
}
From the response, immediately copy and save the token field. This is the only time the full token value is available. The response also includes id (the token’s UUID), name, start_date, end_date, and status flags (active and enabled). Save the id value. You will need this in the next step to inspect the token settings.
Step 4: Inspect the new token
After creating the token, verify its settings by retrieving it by ID. This confirms the name, expiration date, and enabled status are correct before you start using it in your integrations.
Request:
curl -X GET "https://demo.one.digicert.com/account/api/v1/api-access-token/ID" \
-H "x-api-key: USER_API_TOKEN" | jq '.'import requests
# Configuration
BASE_URL = "https://demo.one.digicert.com"
USER_API_TOKEN = "USER_API_TOKEN"
ID = "ID"
response = requests.get(
f"{BASE_URL}/account/api/v1/api-access-token/{ID}",
headers={"x-api-key": USER_API_TOKEN}
)
print(f"Status Code: {response.status_code}")
print(response.json())import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
public class ApiExample {
public static void main(String[] args) throws Exception {
// Configuration
String baseUrl = "https://demo.one.digicert.com";
String userApiToken = "USER_API_TOKEN";
String id = "ID";
// Send request
HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create(baseUrl + "/account/api/v1/api-access-token/" + id))
.header("x-api-key", userApiToken)
.GET()
.build();
HttpResponse<String> response = client.send(
request,
HttpResponse.BodyHandlers.ofString()
);
System.out.println("Status Code: " + response.statusCode());
System.out.println(response.body());
}
}using System;
using System.Net.Http;
using System.Threading.Tasks;
class Program
{
static async Task Main(string[] args)
{
// Configuration
string baseUrl = "https://demo.one.digicert.com";
string userApiToken = "USER_API_TOKEN";
string id = "ID";
// Send request
using var client = new HttpClient();
client.DefaultRequestHeaders.Add("x-api-key", userApiToken);
var response = await client.GetAsync($"{baseUrl}/account/api/v1/api-access-token/{id}");
string responseBody = await response.Content.ReadAsStringAsync();
Console.WriteLine($"Status Code: {(int)response.StatusCode}");
Console.WriteLine(responseBody);
}
}Replace {id} with the token ID from the Step 3 response.
Successful response (200 OK):
{
"id": "7b5d83e7-6e5f-4ade-ad48-111c6f3420f7",
"user_id": "e7ea1214-d688-48ba-aa1b-131fb2867ac5",
"name": "API token name",
"end_date": "2022-05-30T23:59:59Z",
"start_date": "2021-06-25T21:20:06Z",
"active": true,
"enabled": true,
"masked_api_key": "*************9e2a1"
}
Confirm the name and end_date match what you set in Step 3, and that both active and enabled are true. The masked_api_key field shows the last few characters of the token for identification. Once you have verified the token settings and updated your integrations to use the new token value. In the next step you’ll disable the old token.
Step 5: Disable the old token
After your integrations are running on the new token, disable the old token. Disabling a token immediately stops it from authenticating, but the API preserves the token object. This gives you a rollback path so if something goes wrong with the new token, you can re-enable the old one.
Request:
curl -X PUT "https://demo.one.digicert.com/account/api/v1/api-access-token/ID" \
-H "x-api-key: USER_API_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Updated API token Name",
"enabled": false
}' | jq '.'import requests
# Configuration
BASE_URL = "https://demo.one.digicert.com"
USER_API_TOKEN = "USER_API_TOKEN"
ID = "ID"
# Request details
NAME = "Updated API token Name"
payload = {
"name": NAME,
"enabled": False,
}
response = requests.put(
f"{BASE_URL}/account/api/v1/api-access-token/{ID}",
headers={
"x-api-key": USER_API_TOKEN,
"Content-Type": "application/json"
},
json=payload
)
print(f"Status Code: {response.status_code}")
print(response.json())import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.node.ObjectNode;
public class ApiExample {
public static void main(String[] args) throws Exception {
// Configuration
String baseUrl = "https://demo.one.digicert.com";
String userApiToken = "USER_API_TOKEN";
String id = "ID";
// Request details
String name = "Updated API token Name";
// Build payload
ObjectMapper mapper = new ObjectMapper();
ObjectNode payload = mapper.createObjectNode();
payload.put("name", name);
payload.put("enabled", false);
// Send request
HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create(baseUrl + "/account/api/v1/api-access-token/" + id))
.header("x-api-key", userApiToken)
.header("Content-Type", "application/json")
.PUT(HttpRequest.BodyPublishers.ofString(mapper.writeValueAsString(payload)))
.build();
HttpResponse<String> response = client.send(
request,
HttpResponse.BodyHandlers.ofString()
);
System.out.println("Status Code: " + response.statusCode());
System.out.println(response.body());
}
}using System;
using System.Net.Http;
using System.Text;
using System.Text.Json.Nodes;
using System.Threading.Tasks;
class Program
{
static async Task Main(string[] args)
{
// Configuration
string baseUrl = "https://demo.one.digicert.com";
string userApiToken = "USER_API_TOKEN";
string id = "ID";
// Request details
string name = "Updated API token Name";
// Build payload
var payload = new JsonObject
{
["name"] = name,
["enabled"] = false
};
// Send request
using var client = new HttpClient();
client.DefaultRequestHeaders.Add("x-api-key", userApiToken);
var content = new StringContent(
payload.ToJsonString(),
Encoding.UTF8,
"application/json"
);
var response = await client.PutAsync($"{baseUrl}/account/api/v1/api-access-token/{id}", content);
string responseBody = await response.Content.ReadAsStringAsync();
Console.WriteLine($"Status Code: {(int)response.StatusCode}");
Console.WriteLine(responseBody);
}
}Replace {id} with the token ID of the old token from Step 2.
Set the following fields in the request body:
name(required): The current name of the token. This field is required even when you only want to change other fields.enabled: Set tofalseto disable the token.
Tip
You can also use this endpoint to update a token’sname or extend its end_date. For example, if you need more time before rotating, update the end_date to extend the token’s validity. You can only extend the expiration date. It cannot be shortened or set to a past date.Successful response (200 OK):
{
"id": "7b5d83e7-6e5f-4ade-ad48-111c6f3420f7",
"user_id": "e7ea1214-d688-48ba-aa1b-131fb2867ac5",
"name": "Updated API token Name",
"end_date": "2025-12-31T23:59:59Z",
"start_date": "2021-06-25T21:20:06Z",
"active": true,
"enabled": false,
"masked_api_key": "*************9e2a1"
}
Confirm the response shows enabled: false. The token is now disabled and cannot be used for authentication. If you need to re-enable it, send the same PUT request with enabled: true. Know that expired tokens cannot be re-enabled. If the token has passed its end_date, you must create a new one. Once you are confident your integrations are stable on the new token, proceed to the next step to permanently delete the old token.
Step 6: Delete the disabled token
After confirming your integrations are stable on the new token, permanently delete the old token. This removes it from your account and ensures it cannot be re-enabled.
Request:
curl -X DELETE "https://demo.one.digicert.com/account/api/v1/api-access-token/ID" \
-H "x-api-key: USER_API_TOKEN"import requests
# Configuration
BASE_URL = "https://demo.one.digicert.com"
USER_API_TOKEN = "USER_API_TOKEN"
ID = "ID"
response = requests.delete(
f"{BASE_URL}/account/api/v1/api-access-token/{ID}",
headers={"x-api-key": USER_API_TOKEN}
)
print(f"Status Code: {response.status_code}")import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
public class ApiExample {
public static void main(String[] args) throws Exception {
// Configuration
String baseUrl = "https://demo.one.digicert.com";
String userApiToken = "USER_API_TOKEN";
String id = "ID";
// Send request
HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create(baseUrl + "/account/api/v1/api-access-token/" + id))
.header("x-api-key", userApiToken)
.DELETE()
.build();
HttpResponse<String> response = client.send(
request,
HttpResponse.BodyHandlers.ofString()
);
System.out.println("Status Code: " + response.statusCode());
}
}using System;
using System.Net.Http;
using System.Threading.Tasks;
class Program
{
static async Task Main(string[] args)
{
// Configuration
string baseUrl = "https://demo.one.digicert.com";
string userApiToken = "USER_API_TOKEN";
string id = "ID";
// Send request
using var client = new HttpClient();
client.DefaultRequestHeaders.Add("x-api-key", userApiToken);
var response = await client.DeleteAsync($"{baseUrl}/account/api/v1/api-access-token/{id}");
Console.WriteLine($"Status Code: {(int)response.StatusCode}");
}
}Replace {id} with the token ID of the disabled token from Step 5.
Successful response (204 No Content)
This permanently deletes the token. This action cannot be undone. If you list your tokens again (Step 2), the deleted token no longer appears.
Common errors and solutions
For general API errors (authentication, rate limits), see Error handling and rate limits.
duplicate_error
{
"errors": [
{
"code": "duplicate_error",
"message": "Nickname [name] already exists. Enter a different nickname."
}
]
}
Choose a unique value for the name field in the POST request body. List your existing tokens (Step 2) to see which names are already in use.
invalid_input_field
{
"errors": [
{
"code": "invalid_input_field",
"message": "Invalid end_date [value]."
}
]
}
Format the end_date as ISO 8601: YYYY-MM-DDTHH:MM:SSTZD. For example, 2026-09-30T23:59:59Z. Ensure the date is in the future and includes a timezone designator.
entity_not_found
{
"errors": [
{
"code": "entity_not_found",
"message": "Requested entity was not found"
}
]
}
Verify the {id} path parameter is a valid token UUID. If you recently deleted the token, it no longer exists and cannot be retrieved, updated, or deleted again.
Complete Python example
import requests
# Configuration
BASE_URL = "https://demo.one.digicert.com"
USER_API_TOKEN = "USER_API_TOKEN"
HEADERS = {
"x-api-key": USER_API_TOKEN,
"Content-Type": "application/json"
}
# Step 1: Retrieve your user ID
print("Step 1: Retrieve your user ID...")
USER_ID = "USER_ID"
response = requests.get(
f"{BASE_URL}/account/api/v1/user/{USER_ID}",
headers={"x-api-key": USER_API_TOKEN}
)
user_id = response.json()["id"]
print(f" user_id: {user_id}")
# Step 2: List your existing API tokens
print("Step 2: List your existing API tokens...")
params = {
"user_id": user_id,
}
response = requests.get(
f"{BASE_URL}/account/api/v1/api-access-token",
headers={"x-api-key": USER_API_TOKEN},
params=params
)
old_token_id = response.json()[0]["id"]
print(f" old_token_id: {old_token_id}")
old_token_name = response.json()[0]["name"]
print(f" old_token_name: {old_token_name}")
# Step 3: Create a new API token
print("Step 3: Create a new API token...")
payload = {
"name": "NAME",
"end_date": "2026-12-31T23:59:59Z",
"user_id": user_id,
}
response = requests.post(
f"{BASE_URL}/account/api/v1/api-access-token",
headers=HEADERS,
json=payload
)
new_token_id = response.json()["id"]
print(f" new_token_id: {new_token_id}")
new_api_token = response.json()["token"]
print(f" new_api_token: {new_api_token}")
# Step 4: Inspect the new token
print("Step 4: Inspect the new token...")
response = requests.get(
f"{BASE_URL}/account/api/v1/api-access-token/{new_token_id}",
headers={"x-api-key": USER_API_TOKEN}
)
# Step 5: Disable the old token
print("Step 5: Disable the old token...")
payload = {
"name": "NAME",
"enabled": False,
}
response = requests.put(
f"{BASE_URL}/account/api/v1/api-access-token/{old_token_id}",
headers=HEADERS,
json=payload
)
# Step 6: Delete the disabled token
print("Step 6: Delete the disabled token...")
response = requests.delete(f"{BASE_URL}/account/api/v1/api-access-token/{old_token_id}", headers={"x-api-key": USER_API_TOKEN})
print("\nAPI token rotation complete! Old token disabled and deleted, new token active.")
What’s next?
Now that you have rotated your API token, you can:
- Automate rotation on a schedule: Build the create-verify-disable-delete workflow into a scheduled job or CI/CD pipeline that runs before tokens expire. Use the
end_datefield to enforce a rotation cadence (for example, every 90 days). - Configure client certificate authentication: For higher-security environments, add a client authentication certificate as an additional or alternative authentication method. See Set up service user multi-factor authentication.
- Audit token usage: Query the Account Manager audit logs to monitor which tokens are being used and when, helping you identify unused tokens that can be retired. See Audit API activity for compliance reporting.
- Manage service user tokens: Use the same endpoints with the
user_idfield on the POST request to create and rotate tokens for service users across your accessible accounts.
Was this page helpful?
Provide feedback