API Tokens¶
Administration
API tokens let you access the NOB.center API from scripts, CI pipelines, or third-party integrations without using your account credentials. Each token carries an explicit set of permissions and has a hard expiry date.
Navigate to Administration → API Tokens to manage your tokens.
Token roles¶
Two roles control who can manage tokens in an organization:
| Role | What it allows |
|---|---|
| Token Manager | Create tokens, view your own tokens, revoke your own tokens |
| Token Admin | All Token Manager permissions, plus view and revoke all tokens in the organization |
Token Admin is typically reserved for administrators who need to audit or clean up tokens created by other users.
Creating a token¶
Click Create Token and fill in the form:
| Field | Description |
|---|---|
| Name | A human-readable label, e.g. grafana-integration or deploy-pipeline |
| Validity | How many days the token is valid (1–30 days) |
| Permissions | One or more individual permission scopes |
After clicking Create, the full token value is displayed once. Copy it immediately — it cannot be retrieved again. NOB.center stores only a hash of the token.
admin-create-token-modal.png
The Create Token modal showing the permission scope selector
admin-token-created.png
The token value shown immediately after creation — copy it now
Permission scopes¶
Tokens use individual permissions, not roles. You select exactly which operations the token is allowed to perform. The format is module-name:permission_name.
CT-Log scopes¶
| Scope | What it permits |
|---|---|
ct-log:view_certificates |
Read certificate matches |
ct-log:view_filters |
Read domain filters |
ct-log:create_filters |
Create domain filters |
ct-log:update_filters |
Edit domain filters |
ct-log:delete_filters |
Delete domain filters |
ct-log:view_rules |
Read alert rules |
ct-log:create_rules |
Create alert rules |
ct-log:update_rules |
Edit alert rules |
ct-log:delete_rules |
Delete alert rules |
ct-log:view_templates |
Read alert templates |
ct-log:create_templates |
Create alert templates |
ct-log:update_templates |
Edit alert templates |
ct-log:delete_templates |
Delete alert templates |
ct-log:view_alerts |
Read alert history |
DNS-Watcher scopes¶
| Scope | What it permits |
|---|---|
dns-watcher:view_domains |
Read monitored domains |
dns-watcher:create_domains |
Add domains |
dns-watcher:update_domains |
Edit domain settings |
dns-watcher:delete_domains |
Remove domains |
dns-watcher:view_records |
Read DNS records |
dns-watcher:create_records |
Add DNS records |
dns-watcher:update_records |
Enable/disable DNS records |
dns-watcher:delete_records |
Remove DNS records |
dns-watcher:view_history |
Access snapshot history |
dns-watcher:view_rules · create_rules · update_rules · delete_rules |
Alert rule management |
dns-watcher:view_templates · create_templates · update_templates · delete_templates |
Alert template management |
dns-watcher:view_alerts |
Alert history |
RDAP scopes¶
| Scope | What it permits |
|---|---|
rdap:view_whois_records |
Read domains, snapshots, history, diffs |
rdap:create_monitors |
Add RDAP monitors |
rdap:update_monitors |
Edit monitor settings |
rdap:delete_monitors |
Remove monitors |
rdap:view_rules · create_rules · update_rules · delete_rules |
Alert rule management |
rdap:view_templates · create_templates · update_templates · delete_templates |
Alert template management |
rdap:view_alerts |
Alert history |
Certificate-Watcher scopes¶
| Scope | What it permits |
|---|---|
cert-watcher:view_certificates |
Read certificate monitors |
cert-watcher:create_certificates |
Create monitors |
cert-watcher:update_certificates |
Edit monitors |
cert-watcher:delete_certificates |
Delete monitors |
cert-watcher:view_targets |
Read IP targets |
cert-watcher:create_targets |
Add IP targets |
cert-watcher:update_targets |
Edit targets |
cert-watcher:delete_targets |
Remove targets |
cert-watcher:view_history |
Access scan history |
cert-watcher:view_rules · create_rules · update_rules · delete_rules |
Alert rule management |
cert-watcher:view_templates · create_templates · update_templates · delete_templates |
Alert template management |
cert-watcher:view_alerts |
Alert history |
Administration scopes¶
| Scope | What it permits |
|---|---|
administration:view_users |
List organization members |
administration:manage_users |
Invite, edit, and remove users |
administration:manage_permissions |
Change role assignments |
administration:view_audit_logs |
Read the audit log (coming soon) |
Using a token¶
Pass the token as a Bearer header on every API request:
curl -H "Authorization: Bearer nob_<your-token>" \
https://app.nob.center/api/ct-log/filters
A request with a missing or invalid token returns 401. A request with a valid token that lacks the required permission returns 403.
Token expiry and renewal¶
Every token has a hard expiry set at creation. After expiry the token is automatically rejected — it cannot be used even if it was never used before.
To extend a token's lifetime, call the renew endpoint using the token itself as the authentication credential. The token must not yet be expired. The new expiry is calculated from today using the same validity period as when the token was originally created.
curl -X POST \
-H "Authorization: Bearer nob_<your-token>" \
https://app.nob.center/api/api-tokens/<token-id>/renew
Revoking a token¶
Click Revoke next to any token in the list to permanently invalidate it. Revocation is immediate and cannot be undone.
Token Admins can revoke tokens created by any user in the organization.
API reference¶
GET /api/api-tokens¶
List your own tokens (non-sensitive — does not return the raw token value).
Permission: view_own_tokens
Response:
{
"tokens": [
{
"id": 1,
"name": "deploy-pipeline",
"token_prefix": "nob_abc123x",
"scopes": ["ct-log:view_certificates", "ct-log:view_filters"],
"expires_at": "2026-02-14T00:00:00Z",
"last_used_at": "2026-01-15T09:45:00Z",
"created_at": "2026-01-15T00:00:00Z",
"revoked_at": null
}
]
}
GET /api/api-tokens/org¶
List all tokens for the organization.
Permission: view_all_tokens
POST /api/api-tokens¶
Create a new token.
Permission: create_tokens
Body:
| Field | Type | Required | Description |
|---|---|---|---|
name |
string | Yes | Human-readable label |
validity_days |
int | Yes | 1–30 |
scopes |
list | Yes | Array of "module:permission" strings |
Response:
{
"id": 1,
"token": "nob_abc123xyz...",
"name": "deploy-pipeline",
"expires_at": "2026-02-14T00:00:00Z",
"message": "Token created. Copy it now — it will not be shown again."
}
DELETE /api/api-tokens/{token_id}¶
Revoke a token.
Permission: delete_tokens (own tokens) or revoke_all_tokens (any token)
Response: {"message": "Token revoked"}
POST /api/api-tokens/{token_id}/renew¶
Renew a token. Must be authenticated using the token being renewed.
Permission: Token must be valid and not yet expired.
Response: {"message": "Token renewed", "expires_at": "2026-03-15T00:00:00Z"}