API Tokens

Endpoints

GET    /api/v1/api-tokens          list
POST   /api/v1/api-tokens          create   { name, scopes? }
DELETE /api/v1/api-tokens/:id      revoke

Token shape

typescript

{
  user: ObjectId,
  team_id: ObjectId | null,
  name: string,
  hashed_token: string,        // never returned in JSON
  prefix: string,              // shown to the user for visual identification
  scopes: string[],            // default []
  last_used_at: Date | null,
  revoked_at: Date | null,
}

Important

The plaintext token is returned only once, in the response of POST /api-tokens. Sosyabot stores a salted hash; if you lose the token, revoke and reissue.

Scopes

Scopes match the public-API endpoints they unlock — posts:read, posts:write, accounts:read, etc. A token without scopes can still call session-cookie-only endpoints if it's used as a session bearer (uncommon).

Use

curl -H "Authorization: Bearer sosya_..." https://app.sosyabot.com/api/v1/public/posts

API Tokens

Endpoints

Token shape

Important

Scopes

Use

Public Endpoints

Webhooks

Developer Overview

API Tokens ​

Endpoints ​

Token shape ​

Important ​

Scopes ​

Use ​

Related ​

Public Endpoints

Webhooks

Developer Overview

API Tokens

Endpoints

Token shape

Important

Scopes

Use

Related