PAT Integration

Create a personal access token and call a business API without exposing secrets.

Use personal access tokens for scheduled jobs, ERP syncs and backend integrations. The token value is returned only once.

1. Inspect grantable scopes

Shell
curl {{BASE_URL}}/api/v1/auth/api-keys/scopes \
  -H "Authorization: Bearer $CONFORMA_PAT"

Pick the narrowest read/write scopes needed by the integration.

2. Create the token

Shell
curl -X POST {{BASE_URL}}/api/v1/auth/api-keys \
  -H "Authorization: Bearer $CONFORMA_PAT" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "ERP supplier sync",
    "scopes": ["suppliers:read", "suppliers:write"],
    "expiresAt": "2026-12-31T23:59:59.000Z"
  }'

Store the returned token in your secret manager. Do not log it or commit it.

3. Call a business endpoint

Shell
curl "{{BASE_URL}}/api/v1/suppliers?page=1&limit=20" \
  -H "Authorization: Bearer $ERP_SUPPLIER_SYNC_PAT"

Rotate the token by creating a replacement, deploying it, then revoking the old id with DELETE /api/v1/auth/api-keys/{id}.