Organization API Tokens

The Organization API Tokens page is only visible to users who are Organization Superusers for that organization (the same permission that controls the Organization Team page). It is reached from the API Tokens card on the Organization home page.

The page lists every API token currently held by any user in the organization, giving superusers a single place to audit and clean up token usage across the whole organization. For each token it shows:

  • Name - the name the owning user gave the token when they created it

  • Prefix - a short prefix of the token value, for matching a row against a token held elsewhere

  • User - the user who owns the token, linked to their team-member edit page

  • Last used - when the token was last used to authenticate (blank if it has never been used)

  • Last usage - the request method and path of the most recent use

The list is searchable and sortable.

Note

Superusers cannot see the value of any token. Token values are stored only as one-way hashes and are shown to the owning user once, at creation time. TrialGrid Ltd staff cannot recover a token value. Only the name, prefix and usage metadata above are visible here. For the user-facing flow of creating and copying tokens, see Managing your API tokens.

Revoking a token

Each row has a Revoke action. Selecting it opens a confirmation dialog showing the token prefix and the user it belongs to. Confirming the revoke:

  • permanently deletes the token - any application still using it starts receiving 401 Unauthorized responses immediately;

  • records an Activity against the token owner noting which superuser revoked the token; and

  • sends the token owner an email notifying them that the token was revoked.

Revoking a token here is equivalent to the owner revoking it themselves from their profile. To stop a user creating or using tokens entirely, remove the Can create and manage personal API tokens permission on the Organization Team page - but note that this only blocks existing tokens while the permission is disabled; revoke them here to destroy them permanently.

See also

Token Authentication for the token authentication protocol and the api-token-auth endpoint.