If you are looking for information on how to use the api tokens via the API go to API General page.
PractiTest supports two types of API Tokens:
* We recommend using Personal API tokens for a secured process.*
To learn more about the differences please click here.
Personal API Tokens
What are Personal API Tokens?
The personal API token is a unique token given to a specific user and grants access ONLY to the areas this specific user is permitted on. It should be kept privately, like any other credentials. In case a user has more than one account - he will have a different Personal API Token for each account
To get a personal API Token, the account owner must enable it to the user through his account settings window as described in the Account Settings page.
Once the Personal API token is enabled for a user, he can find it in his user settings personal tab, as described in the Personal Settings
Account API Tokens
What are Account API Tokens?
API tokens grant access to read, create, update and delete data in PractiTest. Account API tokens grant this access to all the projects of your account. It should be kept privately, like any other credentials, but stronger since it controls all your accounts.
Only Account Administrator can see the API Token screen through the Account Settings.
What is the API Token name for?
Api Tokens have names so you can remember to who / what you gave access via the api tokens.
API Tokens that start with underscore are reserved for specific use / specific integration. Don’t use them unless it’s for a specific reason (followed by our instructions).
Best Practice using account tokens
In case you choose to work with account tokens although we recommend using PAT when possible, here are a few best practice tips.
Since you can create as many api_tokens as needed, rename them, disable and enable them, it is a best practice to give different api_tokens to different (code) purposes / business needs. Once you may have different business needs, or you’ll need to disable one of the functionality, it will be easier for your to just disable one API_Token at a time
Your API Tokens should be kept private, like any other credentials:
- When possible, use Personal API Tokens and not Account API tokens to restrict the access to your data according to specific users and tasks.
- Never send your API Token via an email
- If you’re writing a script or program that accesses the API, do not pass the token in cleartext (use HTTPS exclusively)
- Give specific API usage different API Tokens with an explicit name.
- If you suspect that your API token has been compromised, or you’re not sure for what reason it is used – Delete, disable or regenerate it.