Tokens API — Types
NewToken
Returned when a new token is created. Contains the full (unredacted) token value.
| Field | Type | Description |
|---|
unredactedToken | ID! | The full, unredacted token value. Only returned once at creation time — store it securely. |
token | Token! | The full details of the created token |
expiresIn | Int | Seconds until the token expires. Null if the token never expires. |
primaryScope | TokenScope | The first scope attached to this token, if any. Null for tokens created without scopes (e.g., via createToken). |
Token
An API token.
| Field | Type | Description |
|---|
id | ID! | Unique token ID |
redactedToken | ID! | The redacted token value (e.g., abc1****5678) |
description | String! | Token description |
createdBy | ID! | User ID of the token creator |
createdAt | Time! | When the token was created |
updatedAt | Time! | When the token was last updated |
expiresAt | Time | When the token expires (null = no expiration) |
revokedAt | Time | When the token was revoked (null = still active) |
credentialId | ID | ID of the client credential that generated this token, if applicable. Null for tokens created directly via JWT. |
scopes | [TokenScope!]! | Authorization scopes granted to this token |
scopesHistory | [TokenScopeAction!]! | History of scope changes |
TokenScope
An authorization scope granted to a token. Scopes determine which resources/APIs a token can access.
| Field | Type | Description |
|---|
id | ID! | Scope ID |
tokenID | ID! | The token this scope belongs to |
scopeType | ScopeType! | The scope type |
scopeKey | ID! | The scope key (e.g., company ID or plan ID) |
createdAt | Time! | When the scope was added |
deletedAt | Time | When the scope was removed (null = still active) |
TokenScopeAction
An audit record for scope changes.
| Field | Type | Description |
|---|
id | ID! | Record ID |
tokenId | ID! | Token ID |
scopeId | ID! | Scope ID |
updatedBy | ID! | Who made the change |
updatedAt | Time! | When the change was made |
action | TokenScopeActionType! | The action taken |
scope | TokenScope! | The scope that was affected |
ClientCredential
A client ID/secret pair bound to one or more companies, used for programmatic token generation without JWT authentication.
| Field | Type | Description |
|---|
id | ID! | Unique credential ID |
clientId | ID! | The client identifier used for authentication |
redactedClientSecret | String! | The redacted client secret. The full secret is only returned at creation time. |
companyIds | [ID!]! | The companies this credential is bound to |
createdBy | ID! | User ID of the credential creator |
createdAt | Time! | When the credential was created |
updatedAt | Time! | When the credential was last updated |
revokedAt | Time | When the credential was revoked, if applicable |
revokedBy | ID | Who revoked the credential, if applicable |
lastUsedAt | Time | When this credential was last used to generate a token |
NewClientCredential
Returned when a client credential is first created. The full client secret is only available at this time.
| Field | Type | Description |
|---|
clientId | ID! | The client identifier |
clientSecret | ID! | The full client secret. Only returned once — store it securely. |
credential | ClientCredential! | The full details of the created credential |
Enums
ScopeType
The type of resource that can be authorized for a given token.
| Value | Description |
|---|
COMPANY | Access to company-level resources (Catalog, Program Progress, Assessment Progress, Learning Plan Progress APIs) |
PLAN_REPORT | Access to the Reports API for a specific learning plan report |
CATALOG_COMPANY | Deprecated — Use COMPANY instead. Legacy scope for catalog access. |
TokenScopeActionType
| Value | Description |
|---|
ADD | A scope was added to the token |
REMOVE | A scope was removed from the token |
Input Types
| Field | Type | Required | Description |
|---|
description | String! | Yes | Description of the API token |
expiresAt | Time | No | Optional expiration date |
| Field | Type | Required | Description |
|---|
tokenId | ID! | Yes | The token to add the scope to |
scopeType | ScopeType! | Yes | The scope type |
scopeKey | ID! | Yes | The scope key |
| Field | Type | Required | Description |
|---|
companyIds | [ID!]! | Yes | The company IDs to bind this credential to |
revokeExisting | Boolean | No | When true, revokes all existing active credentials that overlap with any of the specified company IDs before creating the new one. Defaults to false. |
| Field | Type | Required | Description |
|---|
clientId | ID! | Yes | The client ID of the credential |
clientSecret | String! | Yes | The client secret of the credential |
companyId | ID | No | The company to generate a COMPANY-scoped token for. Required when the credential is bound to multiple companies; omit to default to the credential's only company. |
Scalars
| Scalar | Description |
|---|
Time | Date and time formatted as RFC 3339 (e.g., 2025-06-15T10:00:00Z) |