Personal access tokens (PATs) authenticate server-to-server integrations with Authorization: Bearer <token>. Tokens are returned only once when created.
Endpoints
| Method | Path | Description |
|---|---|---|
GET | /api/v1/auth/api-keys | List current user's personal access tokens |
POST | /api/v1/auth/api-keys | Create a new personal access token |
DELETE | /api/v1/auth/api-keys/{id} | Revoke a token |
GET | /api/v1/auth/api-keys/scopes | List grantable scopes for the current user |
GET /api/v1/auth/api-keys
Shell
curl {{BASE_URL}}/api/v1/auth/api-keys \-H "Authorization: Bearer $CONFORMA_PAT"
200 OK returns an array of ApiKeyDto.
POST /api/v1/auth/api-keys
Request body (CreateApiKeyDto)
| Field | Type | Required | Description |
|---|---|---|---|
name | string | yes | Token display name, max 120 characters |
scopes | string[] | yes | One or more module:access scopes |
expiresAt | date-time | no | Optional expiration timestamp |
Shell
curl -X POST {{BASE_URL}}/api/v1/auth/api-keys \-H "Authorization: Bearer $CONFORMA_PAT" \-H "Content-Type: application/json" \-d '{"name": "ERP nightly sync","scopes": ["suppliers:read", "suppliers:write"],"expiresAt": "2026-12-31T23:59:59.000Z"}'
201 Created returns ApiKeyWithTokenDto, including token. Store the token immediately; it is not returned again.
DELETE /api/v1/auth/api-keys/{id}
Revokes a token by id.
204 No Content means the token was revoked.
GET /api/v1/auth/api-keys/scopes
Returns an array of ApiKeyScopeOptionDto.
| Field | Type | Description |
|---|---|---|
scope | string | Scope value such as suppliers:read |
module | string | Module key |
access | enum | read or write |
grantable | boolean | Whether the current user can grant the scope |