Creating Bearer Tokens | Axero Documentation

Bearer tokens provide enhanced security and management capabilities for REST API authentication in Axero. Available starting with Axero version 9.60, these cryptographically signed tokens replace traditional API keys and follow industry-standard protocols (RFC 7519) for secure API access.

📋 Administrator Prerequisites: Bearer token functionality must be enabled by an administrator through Control Panel > System > System Properties with the settings EnableLegacyAPIKey = false and EmulateLegacyAPIKey = true. See Enabling REST API Access for complete setup instructions.

🔑 User Permission Requirements: Your user role must have REST API access enabled by an administrator. If you cannot access the Authorizations section, contact your system administrator to enable API permissions for your role.

Once prerequisites are met, users can create and manage Bearer tokens through the Authorizations section in their account settings. This self-service interface provides secure token lifecycle management for API integrations with external applications and tools.

Creating Your First Bearer Token

Follow these step-by-step instructions to create a new Bearer token for your API integrations:

1. Access Your Profile Menu: Click on your profile avatar in the top right corner of the screen to open the user menu.
   
   
2. Navigate to Account Settings: From the dropdown menu, select Activity Stream to access your account settings.
   
   
3. Open Integrations Section: In the left sidebar navigation, locate and click Integrations.
   
   
4. Access Authorizations: Within the Integrations section, navigate to the Authorizations tab. This is your Bearer token management center, where you can create, view, and manage all your API tokens.
5. Initiate Token Creation: Click the Add Authorization button. A new token configuration form will appear at the top of your token list.
   
   
6. Configure Token Settings: Complete the token configuration form with the following information:

   Token Name (Required)

   Enter a descriptive, meaningful name that clearly identifies the token's purpose and intended use. Good naming practices help with organization and security auditing.

   ✅ Good Token Name Examples:

   • "Analytics Dashboard Integration" - Specific purpose and system
   • "Third-party CRM Sync - Production" - Purpose and environment
   • "Automated Reporting System - Q4 2025" - Purpose and timeframe
   • "Mobile App Backend - iOS" - Application and platform

   Creation Date

   Automatically populated with the current date and time when the token is generated. This helps track token age and lifecycle.

   Expiration Period

   Select an appropriate expiration timeframe based on your integration needs. Available options depend on your administrator's security settings:

   🕐 Short-term (Minutes to Hours)

   • Best for: Testing, development, temporary access
   • Security: Highest - minimal exposure window
   • Use cases: API testing, proof of concepts

   📅 Medium-term (Days to Months)

   • Best for: Project-based integrations, seasonal applications
   • Security: Balanced - defined lifecycle
   • Use cases: Campaign tools, temporary dashboards

   📆 Long-term (Years)

   • Best for: Stable, long-running integrations
   • Security: Moderate - requires monitoring
   • Use cases: Production systems, core integrations

   ♾️ Unlimited (No Expiration)

   • Best for: Critical systems requiring continuous access
   • Security: Requires careful management
   • Availability: Only if enabled by administrator
7. Generate the Token: After configuring all settings, click the checkmark icon to save your configuration and generate the Bearer token.
   
   
8. Secure Token Storage: The Bearer token is displayed immediately after it is generated. This is your only opportunity to view the complete token value.

   🔐 Critical Security Step:

   • Use the clipboard icon to copy the complete token value
   • Store it immediately in a secure location (password manager, encrypted vault, secure configuration)
   • Verify the token is saved before closing this window
   • The token cannot be retrieved again after this step
   

⚠️ Critical Security Reminder: Bearer tokens cannot be retrieved after the initial display. The plain token value is not stored by Axero for security reasons. A cryptographic hash is retained for validation purposes. If you lose a token, you must create a new one and update all applications that use it. Plan accordingly and store tokens in a secure, accessible location.

Impersonation Tokens

Impersonation tokens let an administrator with impersonation permission create a token on behalf of another user. For details on how to impersonate a user, see Impersonating a User.

Create an Impersonation Token

1. From the Admin area, impersonate the user.

2. While impersonating, open the user’s Integrations page.

3. Select Add Authorization to create a new token.

4. The new token appears in the list with a purple impersonation tag.

Accessing and Managing Tokens

Impersonation tokens are only visible to administrators with the impersonation permission.

• While impersonating a user, the admin can open the user’s Integrations page to view all tokens linked to that account. Impersonation tokens are marked with a purple tag and can be revoked at any time.

• When the user logs in normally, they see only their own authorizations. Impersonation tokens are hidden from their view and cannot be managed from their account.

Create an Impersonation Token via API

Administrators can also create impersonation tokens using the Create Bearer Token for User endpoint in the REST API.
This method is useful when tokens need to be generated by integrations or automation tools.

Note: Once created, the token value is displayed only once. Copy and store it securely for future use. Each API request to create a bearer token generates a new token.

Using Your Bearer Token

Once you've created and securely stored your Bearer token, you can use it to authenticate API requests. The token must be included in the Authorization header of every API call.

Authentication Header Format

Authorization: Bearer YOUR-BEARER-TOKEN-HERE

Replace YOUR-BEARER-TOKEN-HERE with the actual token value you copied during creation.

Example API Requests

curl -X GET "https://yoursite.axero.com/api/users/me" \
  -H "Authorization: Bearer YOUR-BEARER-TOKEN-HERE" \
  -H "Content-Type: application/json"

fetch('https://yoursite.axero.com/api/users/me', {
  method: 'GET',
  headers: {
    'Authorization': 'Bearer YOUR-BEARER-TOKEN-HERE',
    'Content-Type': 'application/json'
  }
})
.then(response => response.json())
.then(data => console.log(data));

import requests

headers = {
    'Authorization': 'Bearer YOUR-BEARER-TOKEN-HERE',
    'Content-Type': 'application/json'
}

response = requests.get('https://yoursite.axero.com/api/users/me', headers=headers)
data = response.json()

Managing Existing Tokens

The Authorizations section provides comprehensive lifecycle management for all your Bearer tokens. You can monitor token status, update the organization, and maintain security through proper token hygiene.

Token Information Dashboard

For each token in your Authorizations list, you can view important metadata to help manage your API integrations:

🔍 Security Note: The actual token value is never displayed after initial creation for enhanced security. Only metadata about the token is shown in the management interface. This prevents accidental exposure and ensures tokens remain secure.

Renaming a Token

Keep your token organization current by updating names to reflect changes in purpose, environment, or usage:

1. Locate the Token: Find the token you want to rename in your Authorizations list
2. Enter Edit Mode: Click the pencil icon next to the token name
3. Update the Name: Enter a new descriptive name that clearly identifies the token's current purpose
4. Save Changes: Click the checkmark icon to save your changes

Revoking a Token

Immediately and permanently disable a token when it's no longer needed or if security has been compromised. This is a critical security operation that should be performed carefully.

1. Identify the Token: Find the token you want to disable in your Authorizations list
2. Initiate Revocation: Click the trash icon next to the token entry to revoke it
3. Confirm Action: Review the confirmation dialog and confirm the revocation
4. Immediate Effect: The token is instantly invalidated - all API calls using it will fail with authentication errors

⚠️ Critical Warning: Token revocation is immediate and irreversible. Before revoking a token, ensure all applications using it are updated with a replacement token to prevent service disruptions. Consider creating and testing the new token before revoking the old one.

Token Security Best Practices

Following these security guidelines ensures your Bearer tokens remain secure and your API integrations are protected:

Next Steps

After creating your Bearer token, follow these steps to ensure successful implementation:

1. Test the Token: Verify it works with a simple API call using tools like Postman, curl, or your development environment
2. Update Applications: Replace any legacy API keys with the new Bearer token in your application configurations
3. Document Token Usage: Record which applications and services are using each token for future reference
4. Monitor Usage: Regularly review token activity and expiration dates in the Authorizations section
5. Plan Renewals: Set calendar reminders before tokens expire to ensure uninterrupted service