Machine tokens
Machine tokens let scripts, CI jobs, and AI tools call a protected app without pretending to be a person. They authenticate requests to one Project and appear by name in the access log.
Last updated
A machine token opens your deployed app. It cannot manage Tokay Services, code, or settings. API credentials for managing Tokay are covered in For AI agents.
Create a token for one caller
Machine tokens live on the Project's Access tab. Give each caller its own token so you can identify and revoke it without affecting anything else.
A Project can have up to 100 active tokens. The full value looks like tokay_machine_<key_id>_<secret> and appears once when the token is created. Store it in the caller's secret manager before closing the dialog. Tokay cannot show the secret again.
Send it with each request
Use the token as a bearer token when calling the app.
curl -H "Authorization: Bearer tokay_machine_..." https://my-api-r4k7x2m9.tokay.app/report
Tokay authenticates the request and passes identity headers to the app. The Project access log records which token called, when it called, and whether access was allowed.
Revoke access immediately
Revoking a token stops it within seconds and cannot be undone. Create a new token if the caller needs access again.
If you reach the 100-token limit, Tokay asks you to revoke an existing token rather than replacing one silently.