Axero version 9.60 introduced a major security enhancement: REST API authentication has transitioned from traditional API keys to secure Bearer tokens. This industry-standard method strengthens security, simplifies token management, and provides greater control over integration access.
✅ New: All REST API requests now accept Bearer tokens, which can be configured with expiration dates, revoked instantly if needed, and tracked for detailed usage analytics.
❌ Deprecated: Legacy REST API keys are being phased out and are no longer visible or editable in the user interface. Existing API keys will continue to function until the next General Release, giving you time to migrate existing integrations smoothly without service disruption.
This modernization brings significant security and operational advantages for your organization:
Enhanced Security – Bearer tokens use cryptographic signatures and configurable expiration times to reduce risks from credential theft, token replay attacks, and unauthorized access.
Greater Flexibility – Create unlimited tokens with custom names, expiration periods, and specific purposes. Each token can be tailored to individual applications, integrations, or user roles.
Improved Management – Gain complete visibility into active integrations with detailed token metadata, usage tracking, and the ability to instantly revoke access without affecting other integrations.
Industry Standards Compliance – Bearer tokens align with modern authentication standards, ensuring compatibility with enterprise security tools and third-party integrations.
Feature
API Key
Bearer Token
Visibility After Creation
Always visible in user preferences
Displayed only once at creation
Expiration Control
No expiration (permanent until manually deleted)
Configurable expiration periods: minutes to years, or unlimited (if enabled by admin)
Revocation
Manual deletion required; immediate effect
Instant revocation through UI; immediately invalidates all requests using that token
Security Level
Static credentials with no built-in expiration; higher risk if compromised
Cryptographically signed with configurable expiration
Scope & Permissions
Inherits all permissions from the user account that created it
Inherits user permissions but can be customized with descriptive names for specific applications or integration purposes
Token Management & Tracking
Basic visibility; no naming or categorization options
Full lifecycle management: custom names, creation dates, expiration tracking, and usage monitoring
Q: Can I test Bearer tokens before fully switching over?A: Yes. Both authentication methods work simultaneously during the transition period, allowing you to test Bearer tokens in development environments and gradually migrate production integrations without service interruption.
Q: Can I view and manage my Bearer tokens after creating them?A: You can view token metadata (name, creation date, expiration date, status) and manage tokens (rename, revoke) by navigating to your Profile > Activity Stream > Integrations > Authorizations. The plain token value cannot be retrieved after initial creation for security reasons—this is why you must save it immediately upon creation.
Q: What should I do if I lose a Bearer token?A: If you lose a token, you must create a new one and update all applications that use it. The lost token should be revoked immediately to maintain security. This is why secure storage of tokens is critical.
Q: Can I use the same Bearer token across multiple applications?A: While technically possible, it's a security best practice to create separate tokens for each application or integration. This allows for better tracking, individual revocation, and follows the principle of least privilege.
Ready to transition to Bearer token authentication? Follow this recommended migration path:
For detailed implementation guidance, see Using the REST API.
is requesting access to a wiki that you have locked: https://my.axerosolutions.com/spaces/5/axero-documentation/wiki/view/108971/transitioning-to-bearer-tokens
Your session has expired. You are being logged out.