API Tokens
API tokens let you connect external systems, scripts, and tooling to the Mirox platform with scoped, revocable credentials that never expose your password. Each token authenticates machine-to-machine requests on your behalf, so you can automate reporting and export metrics without sharing your login.
Token Concept
Every token belongs to the user who created it and behaves as that user, within limits:
- Tied to your account — a token acts on your behalf, and everything it does is attributed to you in the audit trail.
- Permission ceiling — a token can never reach anything you cannot reach yourself. Your own role and resource access always cap what the token sees.
- Scoped by permission group — you pick a permission group at creation time to narrow the token further (see below).
- Shown once — the full token value is displayed a single time when you create it. Store it securely; Mirox keeps only a hashed copy and can never show it again.
This keeps automation accountable: even if a token is compromised, it is limited to one scope, easy to revoke, and isolated from your other tokens.
Permission Groups
When you create a token you choose one permission group that defines what it may do:
| Group | What the token can do |
|---|---|
| Full Access | Acts with your complete access — every API surface you can reach. |
| Reporting | Generate and download reports and exports only. |
| Timeseries Database | Read time-series metrics only. |
A group never widens your access; it only narrows the token relative to your own permissions. For the full definition of each group, see the API permission groups section of the permission system documentation.
Match the group to the job
Give each integration the narrowest group that still works. A nightly report job needs only Reporting; a metrics read client needs only Timeseries Database. This limits the blast radius if a token leaks.
Creating and Managing Tokens
You manage your tokens from your profile. The platform covers the full lifecycle:
Creating a Token
- Name and description — a clear label and note so you remember what each token is for.
- Permission group — choose one of the groups above.
- Expiration — optional. Tokens default to a one-year lifetime, and you can set any expiry up to a maximum of five years.
- One-time reveal — the complete token is shown once at creation, then never again.
You can hold up to 64 active tokens per account.
Create and rotate require a logged-in session
Creating, rotating, or deleting a token requires an active browser login (cookie session). You cannot use one API token to mint or rotate another — this prevents a leaked token from quietly creating more.
Rotating a Token
Rotation replaces a token's secret in place without changing its name, description, or permission group:
- A new secret is issued and shown once.
- The old secret stops working immediately.
- The expiry resets and usage history is cleared.
Rotation is the recommended way to refresh long-lived integrations on a schedule, or to respond to a suspected leak, without reconfiguring which integration uses which token.
Monitoring and Revoking
- Inventory — list all your tokens with their name, permission group, creation and expiry dates.
- Usage insight — see when each token was last used, along with the IP, location, browser, and operating system captured at that time. The token value itself is never re-shown.
- Immediate revocation — delete a token to invalidate it instantly. Revoking one token never affects the others.
Common Use Cases
API tokens support a wide range of integration scenarios.
Reporting and Data Export
- Schedule automated report generation and download.
- Feed performance data into data warehouses and analytics pipelines.
- Power external dashboards and executive reporting tools.
Time-Series Metrics Access
- Query historical metrics with MiroxQL, the supported query format for programmatic and raw data access.
- Connect read-only analytics tooling to the metrics export API.
- Pull historical metrics for trend analysis and external dashboards.
Security and Control
- Token isolation — a compromised token never exposes your password or your other tokens.
- Scheduled rotation — rotate long-lived tokens periodically using the rotate action, keeping the same configuration.
- Time-limited validity — set an expiry so abandoned tokens age out automatically.
- Full attribution — every action a token takes is logged against you, so usage stays accountable and auditable.
Related Features
- Permission System — how permission groups and access control work
- Reports — automated report generation a token can drive
- MiroxQL — query historical metrics with a Timeseries Database token
- API Tokens Usage Guide — step-by-step token creation and examples