Skip to content
hzel

Personal Access Tokens

Personal Access Tokens (PATs) are the simplest way to authenticate programmatic API access. They carry the full permissions of your account and are not subject to CSRF requirements.

PATs are prefixed hzel_ and stored by SHA-256 hash — the raw value is shown once at creation and never stored in plaintext.

Pass a PAT in the Authorization header for any API call:

Authorization: Bearer hzel_AbCdEfGhIjKlMnOpQrStUvWxYz012345678

No x-csrf-token is required when using PAT auth.

POST /api/v1/tokens

Section titled “POST /api/v1/tokens”

Create a new PAT. Not accessible via OAuth application tokens.

HeaderValueRequired
AuthorizationBearer <token>Yes
Content-Typeapplication/jsonYes

Request Body

FieldTypeRequiredDescription
namestringYesHuman-readable label for the token
expires_atstring (ISO 8601)NoExpiry date; omit for a non-expiring token

Success 200

{
  "data": {
    "token": "hzel_AbCdEfGhIjKlMnOpQrStUvWxYz012345678",
    "id": "01942cf7-…",
    "name": "CI deploy key",
    "prefix": "hzel_AbCdEfGh",
    "created_at": "2026-03-28T00:00:00Z",
    "expires_at": "2027-01-01T00:00:00Z",
    "last_used_at": null,
    "revoked_at": null
  }
}

Copy the token value now — it will not be shown again.

Errors

Statuserror.codeReason
401UNAUTHORIZEDMissing or invalid auth
403FORBIDDENOAuth app tokens may not create PATs

GET /api/v1/tokens

Section titled “GET /api/v1/tokens”

List all non-revoked tokens for your account. The raw token value is never returned — only the display prefix.

HeaderValueRequired
AuthorizationBearer <token>Yes

Success 200

{
  "data": [
    {
      "id": "01942cf7-…",
      "name": "CI deploy key",
      "prefix": "hzel_AbCdEfGh",
      "created_at": "2026-03-28T00:00:00Z",
      "expires_at": "2027-01-01T00:00:00Z",
      "last_used_at": "2026-03-28T09:00:00Z",
      "revoked_at": null
    }
  ]
}

Errors

Statuserror.codeReason
401UNAUTHORIZEDMissing or invalid auth

DELETE /api/v1/tokens/{id}

Section titled “DELETE /api/v1/tokens/{id}”

Revoke a PAT by ID. Revoked tokens are rejected immediately on next use.

HeaderValueRequired
AuthorizationBearer <token>Yes

Success 200

{ "data": "revoked" }

Errors

Statuserror.codeReason
401UNAUTHORIZEDMissing or invalid auth
404NOT_FOUNDToken ID not found