Skip to main content

Personal API Tokens (Legacy)

Deprecated for automation

Personal API Tokens are tied to an individual user's identity and inherit that user's full permissions. They are not recommended for automation, CI/CD, scripts, or any machine-to-machine integration.

For all programmatic access, use Service Accounts instead. Service accounts provide scoped, auditable, least-privilege access that survives employee turnover and can be rotated independently.

Personal API Tokens allow you to interact with Admiral programmatically via our REST API using your own user identity.

Why You Should Avoid Personal Tokens

Personal tokens carry several risks that service accounts solve:

ConcernPersonal API TokenService Account
IdentityBound to a human userIndependent machine identity
PermissionsInherits the user's full accessScoped via policies (least privilege)
OffboardingBreaks when the user is removedUnaffected by user lifecycle
AuditabilityActions attributed to a personActions attributed to the workload
RotationManual, all-or-nothingMultiple keys, zero-downtime rotation
Blast radiusOften very broadConstrained to granted scopes

If you are building anything automated, stop here and read Service Accounts.

Creating an API Token

  1. Go to Settings > API Tokens
  2. Click New Token
  3. Enter a descriptive name (e.g., "Personal testing")
  4. Set an expiration date (recommended)
  5. Click Create Token

Token Components

Each token consists of two parts:

  • Token ID: A unique identifier (e.g., tok_abc123xyz)
  • Secret Key: A cryptographic secret (e.g., sk_live_...)
Important

The Secret Key is only displayed once upon creation. Store it securely immediately. If you lose it, you must create a new token.

Using API Tokens

Include your token in the Authorization header:

curl -H "Authorization: Bearer sk_live_your_secret_key" \
https://api.admrl.co/v1/devices

Complete API Documentation

Full API reference with request/response schemas:

https://api-admiral.qdyn.au/v1/swagger/

Token Permissions

Personal tokens inherit the permissions of the user who created them:

  • Admin user tokens: Full API access
  • Member user tokens: Limited to permitted fleets

Because the permissions are inherited wholesale, they cannot be narrowed. This is the core reason they are unsuitable for automation.

Rate Limiting

Admiral API enforces rate limits to ensure platform stability:

  • Standard tier: 1,000 requests per hour
  • Professional tier: 10,000 requests per hour
  • Enterprise tier: Custom limits

Rate limit headers:

X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 847
X-RateLimit-Reset: 1642089600

If you exceed the limit, you'll receive a 429 Too Many Requests response.

Migrating to Service Accounts

If you are currently using a personal token for automation:

  1. Create a Service Account for the workload.
  2. Attach a policy granting only the access it needs.
  3. Mint a key and update your systems to use the new client credentials.
  4. Revoke the personal token.

Next Steps