Product Docs
Self Hosting
Scripts ☁
Changelog (EE)

API tokens

This article explains how to create and work with API Tokens.

Create API Token

Open Account Settings page from the user menu in the bottom left corner of the sidebar.

  1. Click on User menu in the bottom left corner of the sidebar,
  2. Select Account Settings from the dropdown

profile page

Follow the steps below to create API Token

  1. Click on Tokens tab in the Account Settings page
  2. Click on Add New API Token
  3. Enter the name for the API Token
  4. Click on Save button to save the changes
  5. Copy the API Token by clicking on Copy button displayed under Actions menu
  6. Use the API Token in the services that require it to authenticate. You can use either the xc-token header or the Authorization header with bearer token format.

Option 1: Using xc-token header

{
  "headers": {
    "xc-token": "Copied API token here under quotes"
  }
}

Option 2: Using Authorization header (since v0.264.7)

{
  "headers": {
    "Authorization": "Bearer Copied API token here under quotes"
  }
}

Create API Token

Create API Token

API Token does not expire, but can be deleted anytime. Both xc-token and Authorization: Bearer header formats are supported for authentication.

API Token created will get added to the list. Copy API token by clicking on Copy button displayed under Actions menu

Create API Token

Authentication Methods

NocoDB supports two methods for API token authentication:

Method 1: xc-token Header

Use the xc-token header with your API token value directly:

{
  "headers": {
    "xc-token": "your_api_token_here"
  }
}

Method 2: Authorization Header (since v0.264.7)

Use the standard Authorization header with Bearer token format:

{
  "headers": {
    "Authorization": "Bearer your_api_token_here"
  }
}

Both methods are equivalent and provide the same level of security. Choose the one that best fits your application's authentication patterns.

Delete API Token

Note that, all the services using the API Token will stop working once the API Token is deleted.

Open Account Settings page from the user menu in the bottom left corner of the sidebar.

  1. Click on User menu in the bottom left corner of the sidebar,
  2. Select Account Settings from the dropdown

profile page

  1. Click on Tokens tab in the Account Settings page
  2. From the Actions menu, click on Delete button associated with the API Token to be deleted

Delete API Token

API Token Access with SSO-Enabled Workspaces

If a workspace is configured to enforce Single Sign-On (SSO), API access to that workspace is restricted to tokens that are created after authenticating via SSO.

Tokens created before SSO was enabled do not have the necessary identity context and will not work for SSO-enforced workspaces.

To access an SSO-enforced workspace via API, users must:

  1. Sign in using SSO.
  2. Generate a new API token from their authenticated session.
Tokens created before SSO enforcement may still work for other workspaces that do not require SSO.

For ease of identification, tokens created after SSO is enabled will have a badge indicating they were generated through SSO authentication.

API Token SSO Badge

What Happens When SSO is Disabled?

If SSO is later disabled for a workspace:

  • API tokens that were created via SSO authentication will continue to work as long as the user is still active and has the required permissions.
  • Tokens created prior to enabling SSO will continue to function & can now access the workspace without SSO authentication.
  • No tokens are automatically revoked when SSO is disabled.

Profile page

This article explains how to manage your profile page.

Language settings

This article explains how to change the language settings in NocoDB.