Managing Authentication Tokens

The Posit Package Manager Authentication Tokens page provides a web interface to create, view, filter, and revoke API tokens. This complements the CLI-based token management commands described in Token Authentication.

Accessing Token Management

Note

The first global:admin token must be created using the CLI. Once you have an admin token, you can use the web interface to create additional tokens. See Token Authentication for CLI instructions.

Warning

The sign-in link is only visible when at least one authenticated repository has been created. If you don’t see the sign-in option, see Configuring Authenticated Repositories to set up authentication. This limitation will be removed in a future release.

To access the Authentication Tokens page:

1. Sign in to Package Manager with a token that has global:admin scope
2. Select the Settings icon (gear icon) in the top navigation bar
3. Select Authentication Tokens from the sidebar

Creating Tokens

To create a token:

1. Select the Create Token button
2. Fill in the required fields:
   • User Email - Email address of the user this token is for
   • Token Description - Clear description of the token’s purpose (max 500 characters)
   • Permissions & Scope - Select resource type and access level
3. Configure expiration
4. Select Create Token
5. Copy the token immediately - it won’t be shown again

Warning

The token value is only displayed once at creation time. If you lose it, you must create a new token.

Permission Scopes

Tokens can be scoped to different resource types and access levels:

All Resources

• Admin (global:admin) - Full administrative access to the server

Repositories

• Read (repos:read) - Download packages from authenticated repositories
• Can limit to specific repositories or grant access to all repositories

Sources

• Write (sources:write) - Upload and manage packages in sources
• Admin (sources:admin) - Full control over sources
• Can limit to specific sources or grant access to all sources

Blocklist Rules

• Read (blocklist:read) - View blocklist rules
• Admin (blocklist:admin) - Create, modify, and delete blocklist rules

Metadata

• Read (metadata:read) - View custom metadata (deprecated - use repos:read instead)
• Admin (metadata:admin) - Create, modify, and delete custom metadata

See API Token Scopes for complete details.

Expiration Options

You can set when a token expires:

• Never expires - Token remains valid indefinitely (use for service accounts)
• Expires in days - Token expires after specified number of days (recommended: 30-90 days)
• Expires on date - Token expires on a specific date

Note

For security, set expiration dates on tokens whenever possible and rotate tokens regularly.

Resource Selection

For Repositories and Sources scopes, you can choose:

• All Resources - Access to all current and future resources (use *)
• Specific Resources - Access limited to selected repositories or sources

Note

When a token is created for a specific source or repository, deleting and recreating that resource will require a new token.

Viewing Tokens

The token list displays:

• Status indicator - Color-coded dot (green=active, gray=revoked, red=expired)
• Token name/description - Primary identifier
• Status badge - Active, Revoked, or Expired
• Scope badge - Permission level
• Creation date - When the token was created
• Expiration date - When the token expires or “Never expires”
• User - Email address associated with the token

Select any token row to view detailed information including the token ID, full description, scope details, and usage information.

Customizing Columns

To customize visible columns:

1. Select the Column Config button (grid icon) near the top-right
2. Select or clear columns to show or hide:
   • Token Name
   • Token ID
   • Status
   • Scope
   • Created Date
   • Expiration Date
   • Created For (User)

Your preferences are saved in the browser.

Filtering and Searching

Use the search bar to find tokens by name, description, or user email. The search is case-insensitive.

Status Filter

Filter tokens by status:

• All Statuses - Show all tokens
• Active - Show only tokens that can currently be used
• Revoked - Show only tokens that have been revoked
• Expired - Show only tokens past their expiration date

Expiration Filter

Filter tokens by expiration:

• All - Show all tokens regardless of expiration
• Never Expires - Show only tokens without an expiration date
• Has Expiration - Show only tokens with a future expiration date
• Expired - Show only tokens that have expired

Sorting

Sort tokens using the Sort By dropdown:

• Newest First - Recently created tokens first (default)
• Oldest First - Oldest tokens first
• Name (A-Z) - Alphabetical by token description
• Name (Z-A) - Reverse alphabetical

Active tokens always appear before revoked or expired tokens.

Revoking Tokens

Revoke tokens when they’re no longer needed or if compromised.

To revoke a token:

1. Find the token in the list
2. Select the Revoke button (trash icon) in the actions column
3. Confirm the revocation
4. The token is immediately revoked

You can also revoke from the token details modal by selecting Revoke Token at the bottom.

Warning

Revocation is immediate and permanent. Revoked tokens cannot be reinstated. You must create a new token to restore access.

Common Workflows

Creating a Repository Read Token

For users who need to download packages:

1. Select Create Token
2. User Email: analyst@example.com
3. Description: Read access for data science repositories
4. Permissions:
   • Resource Type: Repositories
   • Access Level: Read
   • Resources: Select specific repositories or All repositories
5. Expiration: Expires in 90 days
6. Select Create Token and copy the value

Creating an Admin Token for CI/CD

For automated systems requiring full access:

1. Select Create Token
2. User Email: cicd-system@example.com
3. Description: GitHub Actions deployment pipeline
4. Permissions:
   • Resource Type: All Resources
   • Access Level: Admin
5. Expiration: Expires in 90 days
6. Select Create Token and add to CI/CD secrets
7. Set a reminder to rotate in 85 days

Creating a Sources Upload Token

For package maintainers who upload to specific sources:

1. Select Create Token
2. User Email: maintainer@example.com
3. Description: Upload packages to internal-python source
4. Permissions:
   • Resource Type: Sources
   • Access Level: Write
   • Resources: Select specific source
5. Expiration: Expires in 365 days or Never expires
6. Select Create Token and share securely

Rotating Tokens

To rotate an existing token:

1. Filter or search to find the old token
2. Create a new token with the same permissions
3. Update all systems to use the new token
4. Test that the new token works
5. Revoke the old token

Auditing Tokens

To review token usage:

1. Sort by Oldest First
2. Filter to Active status
3. Review tokens without expiration dates
4. Revoke unused or unnecessary tokens
5. Create new tokens with expiration dates as needed

Troubleshooting

Token Creation Fails

If token creation fails:

1. Check all required fields are filled correctly
2. Verify email format is valid
3. Ensure description is under 500 characters
4. Check that you’ve selected both resource type and access level
5. Check browser console for specific error messages

Token Not Visible After Creation

If a created token doesn’t appear:

1. Clear all filters (select the Clear filters button)

2. Change sort order to “Newest First”

3. Refresh the page (Ctrl+R or Cmd+R)

4. Verify token was created using CLI:

   rspm list tokens

Revocation Doesn’t Work

If a token still works after revocation:

1. Verify revocation was successful (check status in UI)

2. Wait a few seconds for propagation

3. Check using CLI that token is revoked:

   rspm list tokens --revoked

4. Contact server administrator if token still works after 1 minute

Security Best Practices

Token Creation

• Use descriptive names that include purpose and user
• Set expiration dates (default to 90 days or less)
• Grant minimum required scope
• Create separate tokens for each purpose

Token Storage

• Never commit tokens to version control
• Use environment variables or secrets management systems
• Share tokens securely (encrypted communication)
• Maintain a token inventory

Token Maintenance

• Review tokens monthly
• Rotate long-lived tokens quarterly
• Revoke orphaned tokens annually
• Document token usage and rotation schedule

Incident Response

If a token is compromised:

1. Immediately revoke the token
2. Review server logs for suspicious activity
3. Notify affected users and systems
4. Create a replacement token
5. Update systems with the new token
6. Document the incident

CLI Comparison

The web interface and CLI provide similar functionality. Use the web interface for interactive token management and the CLI for automation and bulk operations.

Feature	Web Interface	CLI
Create tokens	✅ Visual form	✅ rspm create token
List tokens	✅ Sortable table	✅ rspm list tokens
View details	✅ Modal	✅ Verbose output
Revoke tokens	✅ One-click	✅ rspm revoke token
Filter by status	✅ Built-in	✅ Flags
Search tokens	✅ Real-time	❌ Use grep
Batch operations	❌	✅ Scripts

See Token Authentication for CLI commands and examples.

Related Topics

• Admin Settings UI - Overview of admin settings area
• Token Authentication - CLI-based token management
• API Token Scopes - Detailed scope documentation
• Signing In - Authentication methods
• Configuring R - Using tokens in R
• Configuring Python - Using tokens in Python