Access Tokens
Notes:
xpnAI is currently in feature preview and as such documentation for this feature is still work in progress
Overview
The Access Tokens page is used to create, review, and control access tokens for supported automation flows.
Each token is scoped to one signed-in user and one workspace. The current self-service page supports MCP tokens.
What the page is used for
Token creation and token lifecycle management are brought together on one page.
The following tasks can be completed on this page:
- a new access token can be created for a selected workspace
- existing tokens can be reviewed across accessible workspaces
- the list can be searched by label or workspace
- the list can be filtered by token status
- the latest token state can be reloaded without leaving the page
- active tokens can be revoked
- expired or revoked tokens can be deleted
- tokens can be extended with a new allowed expiry option
Review tokens across workspaces
All access tokens created by the signed-in user across accessible workspaces are shown in one list.
The list includes:
- the label used at creation time
- the workspace name
- the created date
- the expiry date
- the token use
- the current status
- the last-used date
This makes the most common questions easier to answer at a glance:
- where the token is intended to be used
- whether the token is still valid
- whether the token is still being used
If a token has not been used yet, Not used yet is shown.
Search, filter, and refresh
The list can be narrowed without leaving the page.
- Search can be used to find tokens by label or workspace.
- Status filters can be used to focus on Active, Expired, or Revoked tokens.
- Refresh can be used to reload the latest token state.
If no rows match the current search or filters, xpna explains which filters are active so the list can be adjusted more easily.
Create an access token
A new token can be created from the same page.
- Open xpna web.
- Open Settings.
- Select Access Tokens.
- Select the workspace for the token. The current workspace is selected by default.
- Select the token use. The current self-service page supports MCP.
- Enter a label that helps identify the token later.
- Select one of the available expiry options.
- Select Create token.
- Copy the one-time secret before leaving the page.
Only a small number of fields are required, but each field affects how the token can be used:
- Label is used to identify the token later
- Workspace determines where the token belongs
- Expires in controls how long the token remains valid
- Use scopes the token correctly
One-time access token
After a token is created, xpna shows the secret once so it can be copied and stored safely.
Note:
The secret is shown in full only once.
Once the creation state is dismissed, xpna will not show the secret again.
If the secret is lost, a new token should be created.
The secret should be treated like a password. Anyone with the token can use it until the token expires or is revoked.
Manage token lifecycle
The common token lifecycle tasks are available from the Access Tokens page.
Revoke a token
- Locate the token to revoke.
- Select Revoke.
- Confirm the action.
After revocation, new requests using that token fail immediately.
Extend a token
- Locate the token to extend.
- Select Extend.
- Choose a new expiry option.
- Select Extend again to apply it.
Extending updates the expiry date. If the token is expired or revoked, extending it makes the token active again.
Delete an expired or revoked token
- Locate a token that already shows an Expired or Revoked status.
- Select Delete.
- Confirm the action.
Deleting permanently removes the token from the list.
Important behaviour
- The secret is not shown again after the creation state is cleared.
- Create a new token instead of trying to recover an old secret.
- Extending a token updates the expiry but does not show the secret again.
- Token status and last-used details are updated from successful authenticated requests.