Tokens API
The Tokens API allows authenticated users to create, manage, and revoke API tokens and their authorization scopes programmatically.
Endpoint
POST https://api.udacity.com/api/public/api/v1/tokens/graphqlAuthentication
Unlike the other APIs (which use API token auth), the Tokens API primarily uses JWT authentication — meaning users must be logged in through Udacity’s auth system.
The Tokens API is typically used via the Udacity Management Portal (UMP) rather than directly by API consumers. It’s documented here for completeness and for advanced integrations.
Overview
| Operation | Type | Description |
|---|---|---|
tokens | Query | List your API tokens |
createToken | Mutation | Create a new API token |
revokeToken | Mutation | Revoke an existing token |
addTokenScope | Mutation | Add a scope to a token (staff only) |
removeTokenScope | Mutation | Remove a scope from a token (staff only) |
Key concepts
Token lifecycle
- Create — Generate a new token with a description and optional expiration
- Add scopes — Assign authorization scopes that determine what the token can access
- Use — Include the token in
Authorization: Token <key>headers - Revoke — Invalidate the token when it’s no longer needed
Scopes
Tokens are only useful when they have scopes. Scopes control which APIs and resources a token can access:
| Scope Type | Format | Grants access to |
|---|---|---|
COMPANY | COMPANY:<companyId> | Company-level resources (Catalog, Program Progress, Assessment Progress, Learning Plan Progress) |
Token security
- The full token value is only returned once at creation time
- Subsequent queries only return a redacted version
- Tokens can have an expiration date
- Revoked tokens are immediately invalidated