Personal API Tokens (Legacy)
Personal API Tokens are tied to an individual user's identity and inherit that user's full permissions. They are not recommended for automation, CI/CD, scripts, or any machine-to-machine integration.
For all programmatic access, use Service Accounts instead. Service accounts provide scoped, auditable, least-privilege access that survives employee turnover and can be rotated independently.
Personal API Tokens allow you to interact with Admiral programmatically via our REST API using your own user identity.
Why You Should Avoid Personal Tokens
Personal tokens carry several risks that service accounts solve:
| Concern | Personal API Token | Service Account |
|---|---|---|
| Identity | Bound to a human user | Independent machine identity |
| Permissions | Inherits the user's full access | Scoped via policies (least privilege) |
| Offboarding | Breaks when the user is removed | Unaffected by user lifecycle |
| Auditability | Actions attributed to a person | Actions attributed to the workload |
| Rotation | Manual, all-or-nothing | Multiple keys, zero-downtime rotation |
| Blast radius | Often very broad | Constrained to granted scopes |
If you are building anything automated, stop here and read Service Accounts.
Creating an API Token
- Go to Settings > API Tokens
- Click New Token
- Enter a descriptive name (e.g., "Personal testing")
- Set an expiration date (recommended)
- Click Create Token
Token Components
Each token consists of two parts:
- Token ID: A unique identifier (e.g.,
tok_abc123xyz) - Secret Key: A cryptographic secret (e.g.,
sk_live_...)
The Secret Key is only displayed once upon creation. Store it securely immediately. If you lose it, you must create a new token.
Using API Tokens
Include your token in the Authorization header:
curl -H "Authorization: Bearer sk_live_your_secret_key" \
https://api.admrl.co/v1/devices
Complete API Documentation
Full API reference with request/response schemas:
https://api-admiral.qdyn.au/v1/swagger/
Token Permissions
Personal tokens inherit the permissions of the user who created them:
- Admin user tokens: Full API access
- Member user tokens: Limited to permitted fleets
Because the permissions are inherited wholesale, they cannot be narrowed. This is the core reason they are unsuitable for automation.
Rate Limiting
Admiral API enforces rate limits to ensure platform stability:
- Standard tier: 1,000 requests per hour
- Professional tier: 10,000 requests per hour
- Enterprise tier: Custom limits
Rate limit headers:
X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 847
X-RateLimit-Reset: 1642089600
If you exceed the limit, you'll receive a 429 Too Many Requests response.
Migrating to Service Accounts
If you are currently using a personal token for automation:
- Create a Service Account for the workload.
- Attach a policy granting only the access it needs.
- Mint a key and update your systems to use the new client credentials.
- Revoke the personal token.
Next Steps
- Service Accounts - the recommended path for automation
- IAM, Policies & Access - how access is modelled
- Webhooks - real-time notifications