What is a Personal Access Token?

What are Personal Access Tokens and what can they be used for?

A Personal Access Token is a user specific long lasting authentication token. Any Personal Access Token should be protected as if it were a password. There is no secondary authentication when using a Personal Access Token - if a user has another user’s Personal Access Token, they will be entirely able to act as the user that owns the Personal Access Token on the LUSID platform.

For this reason it is very important that Personal Access Tokens are strictly protected.

A Personal Access Token can be provided as a Bearer token in the Authorization HTTP header of any request to the LUSID platform. If the Personal Access Token is valid, the request will be associated to the user owning the Personal Access Token, and the request will be processed as such. Any access Roles (and associated Policies) to which the user is assigned will be used for access control as per any other request.

Personal Access Tokens are intended for use by automated systems that cannot support the Open ID Connect authentication flows. Due to the reduced level of authentication and lack of Multi-Factor Authentication (MFA), Personal Access Tokens should not be the first choice for application authentication, but rather the last resort.

Personal Access Tokens can optionally be created with a fixed deactivation date after which the token will become invalid.

Using  Personal Access Tokens

When making a request to a LUSID API, add an Authorization header with the value:

Bearer <my-personal-access-token>

Associated Roles and Policies

A Personal Access Token represents a user, and reflects whatever roles or policies that user’s access is governed by. As such, Roles and Policies are not directly associated with a Personal Access Token, only to the user that created the token. Changing the Roles assigned to a user, will affect the access capabilities of all of that user’s Personal Access Tokens.

Support for Personal Access Tokens

Any API call to the LUSID platform that currently supports a OpenID Connect Bearer token, will support a Personal Access Token.

Currently Honeycomb does not currently support Personal Access Tokens, and the LUSID Website cannot be navigated using a Personal Access Token.

Administering Personal Access Tokens

Personal Access Tokens can be administered via the LUSID web application as well as directly through the Identity API.

To create and administer Personal Access Tokens via the LUSID web application, please visit this article to learn more.

The details of how to do so through the API can be seen the Open API Documentation (Swagger) for the identity service: https://www.lusid.com/identity/swagger/index.html

Personal Access Tokens once created can be revoked. Revoking a Personal Access Token will immediately mark it as invalid and it will be unusable on the LUSID platform. A token cannot be reactivated once revoked.

Deletion of a user will immediately permanently invalidate all of their Personal Access Tokens.