# Machine tokens

Machine tokens let scripts, CI jobs, and AI tools call a protected app without pretending to be a person. They authenticate requests to one Project and appear by name in the access log.

A machine token opens your deployed app. It cannot manage Tokay Services, code, or settings. API credentials for managing Tokay are covered in [For AI agents](for-ai-agents.md).

## Create a token for one caller

Machine tokens live on the Project's **Access** tab. Give each caller its own token so you can identify and revoke it without affecting anything else.

A Project can have up to 100 active tokens. The full value looks like `tokay_machine_<key_id>_<secret>` and appears once when the token is created. Store it in the caller's secret manager before closing the dialog. Tokay cannot show the secret again.

## Send it with each request

Use the token as a bearer token when calling the app.

```sh
curl -H "Authorization: Bearer tokay_machine_..." https://my-api-r4k7x2m9.tokay.app/report
```

Tokay authenticates the request and passes identity headers to the app. The Project access log records which token called, when it called, and whether access was allowed.

## Revoke access immediately

Revoking a token stops it within seconds and cannot be undone. Create a new token if the caller needs access again.

If you reach the 100-token limit, Tokay asks you to revoke an existing token rather than replacing one silently.
