Personal access tokens function similar to session tokens and can be used by integrations to authenticate against the REST API. It is the most commonly used type of token for integrations.
Enable personal access tokens in System Console > Integrations > Integration Management.
Identify the account you want to create a personal access token with. You may optionally create a new user account for your integration, such as for a bot account. By default, only System Admins have permissions to create a personal access token.
To create an access token with a non-admin account, you must first give it the appropriate permissions. Go to System Console > User Management > Users, search for the user account, then select Manage Roles from the dropdown.
Select Allow this account to generate personal access tokens.
You may optionally allow the account to post to any channel in your Mattermost server, including direct messages by choosing the post:all role. post:channels role allows the account to post to any public channel in the Mattermost server.
Then select Save.
Sign in to the user account to create a personal access token.
Go to Profile > Security > Personal Access Tokens, then select Create Token.
Enter a description for the token, so you remember what it’s used for. Then select Save.
Copy the access token now for your integration and store it in a secure location. You won’t be able to see it again!
You’re all set! You can now use the personal access token for integrations to interact with your Mattermost server and authenticate against the REST API.
A personal access token can be revoked by deleting the token from either the user’s profile settings or from the System Console. Once deleted, all sessions using the token are deleted, and any attempts to use the token to interact with the Mattermost server are blocked.
Tokens can also be temporarily deactivated from the user’s profile. Once deactivated, all sessions using the token are deleted, and any attempts to use the token to interact with the Mattermost server are blocked. However, the token can be reactivated at any time.
Sign in to the user account, select the user avatar, then select Profile > Security > Personal Access Tokens.
Identify the access token you want to revoke, then select Delete and confirm the deletion.
Go to System Console > User Management > Users, search for the user account which the token belongs to, then select Manage Tokens from the dropdown.
Identify the access token you want to revoke, then select Delete and confirm the deletion.
Besides the above differences, personal access tokens are exactly the same as regular session tokens. They are cryptic random IDs and are not different from a user’s regular session token created after logging in to Mattermost.
Not in Mattermost, but you can automate your integration to cycle its token through the REST API.
The best option is to go to System Console > Logs and finding error messages relating to a particular token ID. Once identified, you can search which user account the token ID belongs to in System Console > Users and revoke it through the Manage Tokens dropdown option.
No. The session used by the personal access token is revoked immediately after a user is deactivated, and a new session won’t be created. The tokens are preserved and continue to function if the user account is re-activated. This is useful when a bot account is temporarily deactivated for troubleshooting, for instance.
