Skip to main content

Authentication

All Tokencraft API requests require authentication using Bearer tokens. This guide explains how to create and use API tokens securely.

Creating an API Token

  1. Log in to your Tokencraft dashboard
  2. Navigate to API in the sidebar
  3. Click “New Token”
  4. Enter a descriptive name for your token
  5. Click “Create Token”
  6. Copy the token immediately - you won’t be able to see it again!
API tokens are shown only once. Store them securely in a password manager or environment variable.

Token Format

Tokencraft API tokens follow this format: 
dtk_[random_string]
Example: dtk_1234567890abcdef1234567890abcdef12345678

Using Your Token

Include your API token in the Authorization header of every request: 
Authorization: Bearer dtk_your_token_here

Examples

curl -H "Authorization: Bearer dtk_your_token_here" \
  https://app.tokencraft.dev/api/v1/workspaces

Environment Variables

Store your token as an environment variable for security: 
TOKENCRAFT_TOKEN=dtk_your_token_here
TOKENCRAFT_API_BASE=https://app.tokencraft.dev/api/v1

Token Permissions

Each API token can access:
  • All workspaces owned by your account
  • All tokensets within those workspaces
  • All tokens and modes
API tokens always include read access. Write operations (POST, PATCH, DELETE) are available only on PRO and TEAM plans. If you’re on the FREE plan, write requests will return 403 until you upgrade.

Token Management

Viewing Active Tokens

See all your active API tokens in the Settings page:
  • Token name
  • Creation date
  • Last used date
  • Partial token display (first 12 characters)

Revoking Tokens

To revoke a token:
  1. Go to Settings
  2. Find the token in the list
  3. Click the trash icon
  4. Confirm deletion
Revoking a token is immediate and cannot be undone. Any applications using the revoked token will stop working immediately.

Security Best Practices

✅ Do’s

  • Store tokens in environment variables
  • Use different tokens for different environments (dev, staging, production)
  • Rotate tokens regularly
  • Revoke tokens immediately if compromised
  • Use secret management services (AWS Secrets Manager, HashiCorp Vault, etc.)

❌ Don’ts

  • Never commit tokens to version control
  • Never share tokens via email or chat
  • Never log tokens in plain text
  • Never use production tokens in development
  • Never hard-code tokens in your application

Error Responses

401 Unauthorized

Missing or invalid token: 
{
  "error": "Invalid API token"
}
Causes:
  • Token not provided in Authorization header
  • Token format is incorrect
  • Token has been revoked
  • Token doesn’t exist
Solution:
  • Verify your token is correct
  • Check the Authorization header format
  • Generate a new token if necessary

429 Too Many Requests

Rate limit exceeded: 
{
  "error": "Rate limit exceeded. Please try again later."
}
See Rate Limits for more information.

CI/CD Integration

GitHub Actions

Store your token as a secret:
.github/workflows/sync-tokens.yml
name: Sync Design Tokens

on:
  schedule:
    - cron: '0 0 * * *'  # Daily

jobs:
  sync:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Download tokens
        run: |
          curl -H "Authorization: Bearer ${{ secrets.TOKENCRAFT_TOKEN }}" \
            "${{ secrets.TOKENCRAFT_API_BASE }}/tokensets/${{ secrets.TOKENSET_ID }}/modes/light/export?format=css" \
            -o src/tokens.css
      
      - name: Commit changes
        run: |
          git config user.name "GitHub Actions"
          git config user.email "[email protected]"
          git add src/tokens.css
          git diff --staged --quiet || git commit -m "Update design tokens"
          git push

GitLab CI

.gitlab-ci.yml
sync-tokens:
  script:
    - curl -H "Authorization: Bearer $TOKENCRAFT_TOKEN"
        "$TOKENCRAFT_API_BASE/tokensets/$TOKENSET_ID/modes/light/export?format=css"
        -o src/tokens.css
  only:
    - schedules

Rate Limiting

Each API token is subject to rate limiting:
  • 100 requests per minute per token
  • Rate limit resets every 60 seconds
  • Headers include rate limit information
See Rate Limits for details.

Next Steps

API Reference

Explore all available endpoints

Rate Limits

Understand rate limiting

Error Handling

Learn about error responses

GitHub Actions

Automate token syncing