xpna

Appearance

Access Tokens

Notes:

xpnAI is currently in feature preview and as such documentation for this feature is still work in progress

Overview

Access Tokens allow tool access for one of your workspaces without completing the browser-based OAuth connection flow each time.

Each token is:

  • scoped to one signed-in user and one workspace
  • created with a label so it can be identified later
  • created with one of the allowed expiry options
  • shown in full only once at creation time
  • revocable immediately for new MCP requests
  • extendable with a new allowed expiry option
  • deletable after expiry or revocation when the token no longer needs to remain in the list

Create a token

  • Open xpna web.
  • Open Settings.
  • Select Access Tokens.
  • Select the workspace for the token. The current workspace is selected by default.
  • Select the token use. The current self-service page supports MCP.
  • Enter a label that helps identify the token later.
  • Select one of the available expiry options.
  • Select Create token.
  • Copy the one-time secret before leaving the page.

Manage existing tokens

The Access Tokens page shows all access tokens created by the signed-in user across accessible workspaces, including:

  • the label used at creation time
  • the workspace name and identifier
  • the created date
  • the expiry date
  • the token use
  • the current status
  • the last-used date when xpna has seen the token on a successful MCP request

Revoke a token

  • Open Settings.
  • Select Access Tokens.
  • Locate the token to revoke.
  • Select Revoke.
  • Confirm the action.

After revocation, new MCP requests using that token fail immediately.

Extend a token

  • Open Settings.
  • Select Access Tokens.
  • Locate the token to extend.
  • Select Extend.
  • Choose a new expiry option.
  • Select Extend again to apply it.

Extending updates the expiry date. If the token is expired or revoked, extending it makes the token active again.

Delete an expired or revoked token

  • Open Settings.
  • Select Access Tokens.
  • Locate a token that already shows an Expired or Revoked status.
  • Select Delete.
  • Confirm the action.

Deleting permanently removes the token from the list.

Important behaviour

  • The secret is not shown again after the creation state is cleared.
  • Create a new token instead of trying to recover an old secret.
  • Extending a token updates the expiry but does not show the secret again.
  • Token status and last-used details update from actual MCP requests authenticated against xpna.

Copyright © 2025 xpna