Access Tokens

From GoCD server version 19.2.0 onwards, you will be able to create personal access tokens to access GoCD API(s). This will allow users to make an API call without specifying their credentials (username & password) as a part of API request headers.

Usage instructions

  1. A token can be used to access GoCD APIs and cctray.xml by passing it in API header.

    Before 19.2.0

    1. curl 'https://ci.example.com/go/api/pipelines/pipeline1/status' \
    2. -u 'username:password'

    Going forward

    1. curl 'https://ci.example.com/go/api/pipelines/pipeline1/status' \
    2. -H 'Authorization: Bearer 6A7B48094CC552B9A2DF0AFADAF50D28F0646070'
  2. A token can not be used to create or access any access token related API(s).

  3. Login using access token is not allowed through web UI.

  4. Once a token is revoked, the user will not be able to activate it again.

  5. All tokens belonging to a user will be revoked automatically as soon as the user is deleted from GoCD.

    • Note: These tokens will not be visible again even if the same user is added back to GoCD.

Create a token

  1. Login into your GoCD server.

  2. Go to user menu → Personal Access Tokens. “Navigate to personal access token”

  3. Click on Generate Token button. “Generate token button”

  4. Add a description for the token. This is to identify what is this token for? “Generate a token”

  5. Click on Generate button.

  6. On success, you will see the newly generated token.

    Make sure you copy the token before you close the dialog. It will not be shown again.

    “Newly generated token”

Revoke a personal token

  1. Login into your GoCD server.

  2. Go to user menu → Personal Access Tokens. “Navigate to personal access token”

  3. Find the token which you wish to revoke in ACTIVE TOKENS tab. “active access token list”

  4. Click on the Revoke button.

  5. Optionally, add a reason for revoking the token. “revoke access token cause”

  6. Click on Revoke Token button.

  7. On success, the token just revoked will be shown in REVOKED TOKENS tab. “revoked access token”

Manage access tokens (admin only)

  1. Login into your GoCD server.

  2. Go to Admin menu → Security → Access Tokens Management. “Navigate to admin access token”

  3. The admin will be able to see all the tokens created by all the users

    • Active tokens “active access tokens”

    • Revoked tokens “revoked access tokens”

  4. The admin can use the search box on the top-right to search tokens on the basis of Created By and Description.

Revoke token

  1. Login into your GoCD server.

  2. Go to Admin menu → Security → Access Tokens Management. “Navigate to admin access token”

  3. Find the token which you wish to revoke in ACTIVE TOKENS tab. “active access tokens”

  4. Click on the Revoke button.

  5. Optionally, add a reason for revoking the token. “revoke access token cause”

  6. Click on Revoke Token button.

  7. On success, the token just revoked will be shown in REVOKED TOKENS tab. “revoked access tokens”