Skip to content


Single Token

A single access token. Note that the token itself will never be published by the API to prevent misusing them; instead this resource will deliver metadata to enable an overview of issued tokens and the possibility to revoke them.

The JSON Schema is


Property Type Format Description Writable
accessTokenID String Version 4 UUID (RFC 4122) The unique identifier for the Token. This is NOT the token itself. It is equivalent to the JWT's jti. No. Gets generated on creation.
device JSON Device this access token was issued to. JSON object provided by express-useragent. Notable properties are Platform, OS and Browser. No
ipAddress String IP Address (IPv6 or IPv4) IP Address this access token was issued to No
ipAddressLocation String Assumed Location of the IP Address this access token was issued to (e.g. city name) No
isCurrent Boolean Flag indicating that this access token is the one currently used for this request No
issued String ISO-8601 formatted UTC Date String (YYYY-MM-DDTHH:mm:ss.sssZ, RFC 3339) Timestamp of the creation of this access token No
validUntil String ISO-8601 formatted UTC Date String (YYYY-MM-DDTHH:mm:ss.sssZ, RFC 3339) Timestamp of the current end of the validity lifetime of this token. No


Relation Name Target Resource Description Possible Methods
self Token The resource itself GET, DELETE
collection Token List List of all available Tokens GET
ec:account Account The account of this access token. GET, PUT


The Token List Resource is a Generic List Resource with embedded Token Resources.

It is a collection of currently valid access tokens for an account.

Possible Actions


To read a single Token Resource, clients may perform GET on a ec:account/token relation.

To read the App List Resource, clients may perform GET on a ec:account/tokens relation or on the collection relation of a single Token resource.

In both cases, the success status code is 200 OK.


A new token gets generated on Login. For API Keys, a long-lived token gets generated on creation.

It is possible to add 1 additional token to API Key Accounts (Accounts without password and without email address). POST to ec:account/tokens with account edit permission. An API Key Account can have a maximum of 2 valid tokens at any time. To create more, invalidate an old one first.


Modification of Tokens is not possible.


A token can be revoked by performing a DELETE Request on a single Token resource. The token can then not be used anymore, regardless of its validUntil value. The current token (isCurrent === true) cannot be deleted. Perform a Logout instead.