# API Tokens

## Overview

Use these API operations to interact with [API tokens](/panther-developer-workflows/api.md#how-to-create-a-panther-api-token) in Panther. An API token can rotate itself using the `POST api-tokens/self/rotate` endpoint.

To call the API, see the [How to use the Panther REST API](/panther-developer-workflows/api/rest.md#how-to-use-the-panther-rest-api) instructions—including [directions for how to invoke it directly from this documentation page](/panther-developer-workflows/api/rest.md#step-3-invoke-the-panther-rest-api).

## Required permissions

* For `GET` operations, your API token must have the `Read API Token Info` permission.
* For `POST` and `DELETE` operations, your API token must have the `Manage API Tokens` permission.

See [Permission names in the Console and API](/system-configuration/rbac.md#permission-names-in-the-console-and-api) for additional information.

## Operations

## POST /api-tokens

> Create an api token

```json
{"openapi":"3.0.3","info":{"title":"Panther REST API","version":"1.0"},"tags":[{"name":"api token","description":"The api token api handles all operations for api tokens"}],"servers":[{"url":"https://{api_host}","variables":{"api_host":{"default":"your-api-host"}}}],"security":[{"ApiKeyAuth":[]}],"components":{"securitySchemes":{"ApiKeyAuth":{"type":"apiKey","name":"X-API-Key","in":"header"}},"schemas":{"APITokenAPI.ModifyAPIToken":{"type":"object","properties":{"allowedCIDRBlocks":{"type":"array","items":{"type":"string"},"description":"The set of CIDR blocks that are allowed to use this API token. If empty, all CIDR blocks are allowed"},"name":{"type":"string","description":"The name of the token"},"permissions":{"type":"array","items":{"type":"string","enum":["AIRunAsModify","AlertModify","AlertRead","BulkUpload","BulkUploadValidate","CloudsecSourceModify","CloudsecSourceRead","DataAnalyticsModify","DataAnalyticsRead","DestinationModify","DestinationRead","GeneralSettingsModify","GeneralSettingsRead","LogSourceModify","LogSourceRawDataRead","LogSourceRead","LookupModify","LookupRead","ManageAIResponses","ManageAISkills","McpServerModify","McpServerRead","NotificationsSend","OrganizationAPITokenModify","OrganizationAPITokenRead","PolicyModify","PolicyRead","ResourceModify","ResourceRead","RuleModify","RuleRead","RunPantherAI","SummaryRead","UserModify","UserRead","ViewAIPrivateResponses","ViewAISkills"]}}},"required":["name","permissions"]},"APITokenAPI.APIToken":{"type":"object","properties":{"allowedCIDRBlocks":{"type":"array","items":{"type":"string"},"description":"The set of CIDR blocks that are allowed to use this API token. If empty, all CIDR blocks are allowed"},"createdAt":{"type":"string","description":"Time when the API token was created"},"createdBy":{"type":"object","properties":{"id":{"type":"string","enum":["user","api-token","system"]},"type":{"type":"string"}},"description":"The actor who created the token"},"expiresAt":{"type":"string","description":"Time when the API token will expire. Will be null if the token is non-expiring"},"id":{"type":"string","description":"The unique identifier of the token"},"lastUsedAt":{"type":"string","description":"The last time this token was used to authenticate"},"name":{"type":"string","description":"The name of the token"},"permissions":{"type":"array","items":{"type":"string","enum":["AIRunAsModify","AlertModify","AlertRead","BulkUpload","BulkUploadValidate","CloudsecSourceModify","CloudsecSourceRead","DataAnalyticsModify","DataAnalyticsRead","DestinationModify","DestinationRead","GeneralSettingsModify","GeneralSettingsRead","LogSourceModify","LogSourceRawDataRead","LogSourceRead","LookupModify","LookupRead","ManageAIResponses","ManageAISkills","McpServerModify","McpServerRead","NotificationsSend","OrganizationAPITokenModify","OrganizationAPITokenRead","PolicyModify","PolicyRead","ResourceModify","ResourceRead","RuleModify","RuleRead","RunPantherAI","SummaryRead","UserModify","UserRead","ViewAIPrivateResponses","ViewAISkills"]}},"rotatedAt":{"type":"string","description":"Time when the API token was rotated"},"updatedAt":{"type":"string","description":"Time when the API token was updated"},"updatedBy":{"type":"object","properties":{"id":{"type":"string","enum":["user","api-token","system"]},"type":{"type":"string"}},"description":"The actor who updated the token"},"value":{"type":"string","description":"The API token value, only populated during create and rotate actions"}},"required":["name","permissions","id","createdAt"]},"APITokenAPI.BadRequestError":{"type":"object","properties":{"message":{"type":"string"}},"required":["message"]}}},"paths":{"/api-tokens":{"post":{"tags":["api token"],"summary":"Create an api token","operationId":"api token#create","requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APITokenAPI.ModifyAPIToken"}}}},"responses":{"200":{"description":"OK response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/APITokenAPI.APIToken"}}}},"400":{"description":"bad_request: Bad Request response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/APITokenAPI.BadRequestError"}}}}}}}}}
```

## GET /api-tokens/{id}

> Get an api token

```json
{"openapi":"3.0.3","info":{"title":"Panther REST API","version":"1.0"},"tags":[{"name":"api token","description":"The api token api handles all operations for api tokens"}],"servers":[{"url":"https://{api_host}","variables":{"api_host":{"default":"your-api-host"}}}],"security":[{"ApiKeyAuth":[]}],"components":{"securitySchemes":{"ApiKeyAuth":{"type":"apiKey","name":"X-API-Key","in":"header"}},"schemas":{"APITokenAPI.APIToken":{"type":"object","properties":{"allowedCIDRBlocks":{"type":"array","items":{"type":"string"},"description":"The set of CIDR blocks that are allowed to use this API token. If empty, all CIDR blocks are allowed"},"createdAt":{"type":"string","description":"Time when the API token was created"},"createdBy":{"type":"object","properties":{"id":{"type":"string","enum":["user","api-token","system"]},"type":{"type":"string"}},"description":"The actor who created the token"},"expiresAt":{"type":"string","description":"Time when the API token will expire. Will be null if the token is non-expiring"},"id":{"type":"string","description":"The unique identifier of the token"},"lastUsedAt":{"type":"string","description":"The last time this token was used to authenticate"},"name":{"type":"string","description":"The name of the token"},"permissions":{"type":"array","items":{"type":"string","enum":["AIRunAsModify","AlertModify","AlertRead","BulkUpload","BulkUploadValidate","CloudsecSourceModify","CloudsecSourceRead","DataAnalyticsModify","DataAnalyticsRead","DestinationModify","DestinationRead","GeneralSettingsModify","GeneralSettingsRead","LogSourceModify","LogSourceRawDataRead","LogSourceRead","LookupModify","LookupRead","ManageAIResponses","ManageAISkills","McpServerModify","McpServerRead","NotificationsSend","OrganizationAPITokenModify","OrganizationAPITokenRead","PolicyModify","PolicyRead","ResourceModify","ResourceRead","RuleModify","RuleRead","RunPantherAI","SummaryRead","UserModify","UserRead","ViewAIPrivateResponses","ViewAISkills"]}},"rotatedAt":{"type":"string","description":"Time when the API token was rotated"},"updatedAt":{"type":"string","description":"Time when the API token was updated"},"updatedBy":{"type":"object","properties":{"id":{"type":"string","enum":["user","api-token","system"]},"type":{"type":"string"}},"description":"The actor who updated the token"},"value":{"type":"string","description":"The API token value, only populated during create and rotate actions"}},"required":["name","permissions","id","createdAt"]},"APITokenAPI.BadRequestError":{"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"APITokenAPI.NotFoundError":{"type":"object","properties":{"message":{"type":"string"}},"required":["message"]}}},"paths":{"/api-tokens/{id}":{"get":{"tags":["api token"],"summary":"Get an api token","operationId":"api token#get","parameters":[{"name":"id","in":"path","description":"ID of the api token. Note: if self is provided, the current api token will be returned","required":true,"schema":{"type":"string","description":"ID of the api token. Note: if self is provided, the current api token will be returned"}}],"responses":{"200":{"description":"OK response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/APITokenAPI.APIToken"}}}},"400":{"description":"bad_request: Bad Request response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/APITokenAPI.BadRequestError"}}}},"404":{"description":"not_found: Not Found response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/APITokenAPI.NotFoundError"}}}}}}}}}
```

## POST /api-tokens/{id}

> Update an api token

```json
{"openapi":"3.0.3","info":{"title":"Panther REST API","version":"1.0"},"tags":[{"name":"api token","description":"The api token api handles all operations for api tokens"}],"servers":[{"url":"https://{api_host}","variables":{"api_host":{"default":"your-api-host"}}}],"security":[{"ApiKeyAuth":[]}],"components":{"securitySchemes":{"ApiKeyAuth":{"type":"apiKey","name":"X-API-Key","in":"header"}},"schemas":{"APITokenAPI.ModifyAPIToken":{"type":"object","properties":{"allowedCIDRBlocks":{"type":"array","items":{"type":"string"},"description":"The set of CIDR blocks that are allowed to use this API token. If empty, all CIDR blocks are allowed"},"name":{"type":"string","description":"The name of the token"},"permissions":{"type":"array","items":{"type":"string","enum":["AIRunAsModify","AlertModify","AlertRead","BulkUpload","BulkUploadValidate","CloudsecSourceModify","CloudsecSourceRead","DataAnalyticsModify","DataAnalyticsRead","DestinationModify","DestinationRead","GeneralSettingsModify","GeneralSettingsRead","LogSourceModify","LogSourceRawDataRead","LogSourceRead","LookupModify","LookupRead","ManageAIResponses","ManageAISkills","McpServerModify","McpServerRead","NotificationsSend","OrganizationAPITokenModify","OrganizationAPITokenRead","PolicyModify","PolicyRead","ResourceModify","ResourceRead","RuleModify","RuleRead","RunPantherAI","SummaryRead","UserModify","UserRead","ViewAIPrivateResponses","ViewAISkills"]}}},"required":["name","permissions"]},"APITokenAPI.APIToken":{"type":"object","properties":{"allowedCIDRBlocks":{"type":"array","items":{"type":"string"},"description":"The set of CIDR blocks that are allowed to use this API token. If empty, all CIDR blocks are allowed"},"createdAt":{"type":"string","description":"Time when the API token was created"},"createdBy":{"type":"object","properties":{"id":{"type":"string","enum":["user","api-token","system"]},"type":{"type":"string"}},"description":"The actor who created the token"},"expiresAt":{"type":"string","description":"Time when the API token will expire. Will be null if the token is non-expiring"},"id":{"type":"string","description":"The unique identifier of the token"},"lastUsedAt":{"type":"string","description":"The last time this token was used to authenticate"},"name":{"type":"string","description":"The name of the token"},"permissions":{"type":"array","items":{"type":"string","enum":["AIRunAsModify","AlertModify","AlertRead","BulkUpload","BulkUploadValidate","CloudsecSourceModify","CloudsecSourceRead","DataAnalyticsModify","DataAnalyticsRead","DestinationModify","DestinationRead","GeneralSettingsModify","GeneralSettingsRead","LogSourceModify","LogSourceRawDataRead","LogSourceRead","LookupModify","LookupRead","ManageAIResponses","ManageAISkills","McpServerModify","McpServerRead","NotificationsSend","OrganizationAPITokenModify","OrganizationAPITokenRead","PolicyModify","PolicyRead","ResourceModify","ResourceRead","RuleModify","RuleRead","RunPantherAI","SummaryRead","UserModify","UserRead","ViewAIPrivateResponses","ViewAISkills"]}},"rotatedAt":{"type":"string","description":"Time when the API token was rotated"},"updatedAt":{"type":"string","description":"Time when the API token was updated"},"updatedBy":{"type":"object","properties":{"id":{"type":"string","enum":["user","api-token","system"]},"type":{"type":"string"}},"description":"The actor who updated the token"},"value":{"type":"string","description":"The API token value, only populated during create and rotate actions"}},"required":["name","permissions","id","createdAt"]},"APITokenAPI.BadRequestError":{"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"APITokenAPI.NotFoundError":{"type":"object","properties":{"message":{"type":"string"}},"required":["message"]}}},"paths":{"/api-tokens/{id}":{"post":{"tags":["api token"],"summary":"Update an api token","operationId":"api token#update","parameters":[{"name":"id","in":"path","description":"ID of the api token. Note: if self is provided, the current api token will be updated","required":true,"schema":{"type":"string","description":"ID of the api token. Note: if self is provided, the current api token will be updated"}}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APITokenAPI.ModifyAPIToken"}}}},"responses":{"200":{"description":"OK response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/APITokenAPI.APIToken"}}}},"400":{"description":"bad_request: Bad Request response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/APITokenAPI.BadRequestError"}}}},"404":{"description":"not_found: Not Found response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/APITokenAPI.NotFoundError"}}}}}}}}}
```

## DELETE /api-tokens/{id}

> delete api token

```json
{"openapi":"3.0.3","info":{"title":"Panther REST API","version":"1.0"},"tags":[{"name":"api token","description":"The api token api handles all operations for api tokens"}],"servers":[{"url":"https://{api_host}","variables":{"api_host":{"default":"your-api-host"}}}],"security":[{"ApiKeyAuth":[]}],"components":{"securitySchemes":{"ApiKeyAuth":{"type":"apiKey","name":"X-API-Key","in":"header"}},"schemas":{"APITokenAPI.BadRequestError":{"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"APITokenAPI.NotFoundError":{"type":"object","properties":{"message":{"type":"string"}},"required":["message"]}}},"paths":{"/api-tokens/{id}":{"delete":{"tags":["api token"],"summary":"delete api token","operationId":"api token#delete","parameters":[{"name":"id","in":"path","description":"ID of the api token to delete. Note: if self is provided, the current api token will be deleted","required":true,"schema":{"type":"string","description":"ID of the api token to delete. Note: if self is provided, the current api token will be deleted"}}],"responses":{"204":{"description":"No Content response."},"400":{"description":"bad_request: Bad Request response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/APITokenAPI.BadRequestError"}}}},"404":{"description":"not_found: Not Found response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/APITokenAPI.NotFoundError"}}}}}}}}}
```

## GET /api-tokens

> List api tokens

```json
{"openapi":"3.0.3","info":{"title":"Panther REST API","version":"1.0"},"tags":[{"name":"api token","description":"The api token api handles all operations for api tokens"}],"servers":[{"url":"https://{api_host}","variables":{"api_host":{"default":"your-api-host"}}}],"security":[{"ApiKeyAuth":[]}],"components":{"securitySchemes":{"ApiKeyAuth":{"type":"apiKey","name":"X-API-Key","in":"header"}},"schemas":{"APITokenAPI.ListResp":{"type":"object","properties":{"next":{"type":"string","description":"Pagination token for the next page of results"},"results":{"type":"array","items":{"$ref":"#/components/schemas/APITokenAPI.APIToken"}}},"required":["results"]},"APITokenAPI.APIToken":{"type":"object","properties":{"allowedCIDRBlocks":{"type":"array","items":{"type":"string"},"description":"The set of CIDR blocks that are allowed to use this API token. If empty, all CIDR blocks are allowed"},"createdAt":{"type":"string","description":"Time when the API token was created"},"createdBy":{"type":"object","properties":{"id":{"type":"string","enum":["user","api-token","system"]},"type":{"type":"string"}},"description":"The actor who created the token"},"expiresAt":{"type":"string","description":"Time when the API token will expire. Will be null if the token is non-expiring"},"id":{"type":"string","description":"The unique identifier of the token"},"lastUsedAt":{"type":"string","description":"The last time this token was used to authenticate"},"name":{"type":"string","description":"The name of the token"},"permissions":{"type":"array","items":{"type":"string","enum":["AIRunAsModify","AlertModify","AlertRead","BulkUpload","BulkUploadValidate","CloudsecSourceModify","CloudsecSourceRead","DataAnalyticsModify","DataAnalyticsRead","DestinationModify","DestinationRead","GeneralSettingsModify","GeneralSettingsRead","LogSourceModify","LogSourceRawDataRead","LogSourceRead","LookupModify","LookupRead","ManageAIResponses","ManageAISkills","McpServerModify","McpServerRead","NotificationsSend","OrganizationAPITokenModify","OrganizationAPITokenRead","PolicyModify","PolicyRead","ResourceModify","ResourceRead","RuleModify","RuleRead","RunPantherAI","SummaryRead","UserModify","UserRead","ViewAIPrivateResponses","ViewAISkills"]}},"rotatedAt":{"type":"string","description":"Time when the API token was rotated"},"updatedAt":{"type":"string","description":"Time when the API token was updated"},"updatedBy":{"type":"object","properties":{"id":{"type":"string","enum":["user","api-token","system"]},"type":{"type":"string"}},"description":"The actor who updated the token"},"value":{"type":"string","description":"The API token value, only populated during create and rotate actions"}},"required":["name","permissions","id","createdAt"]}}},"paths":{"/api-tokens":{"get":{"tags":["api token"],"summary":"List api tokens","operationId":"api token#list","responses":{"200":{"description":"OK response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/APITokenAPI.ListResp"}}}}}}}}}
```

## POST /api-tokens/{id}/rotate

> Rotate an api token. If self is provided the current token will be rotated

```json
{"openapi":"3.0.3","info":{"title":"Panther REST API","version":"1.0"},"tags":[{"name":"api token","description":"The api token api handles all operations for api tokens"}],"servers":[{"url":"https://{api_host}","variables":{"api_host":{"default":"your-api-host"}}}],"security":[{"ApiKeyAuth":[]}],"components":{"securitySchemes":{"ApiKeyAuth":{"type":"apiKey","name":"X-API-Key","in":"header"}},"schemas":{"APITokenAPI.APIToken":{"type":"object","properties":{"allowedCIDRBlocks":{"type":"array","items":{"type":"string"},"description":"The set of CIDR blocks that are allowed to use this API token. If empty, all CIDR blocks are allowed"},"createdAt":{"type":"string","description":"Time when the API token was created"},"createdBy":{"type":"object","properties":{"id":{"type":"string","enum":["user","api-token","system"]},"type":{"type":"string"}},"description":"The actor who created the token"},"expiresAt":{"type":"string","description":"Time when the API token will expire. Will be null if the token is non-expiring"},"id":{"type":"string","description":"The unique identifier of the token"},"lastUsedAt":{"type":"string","description":"The last time this token was used to authenticate"},"name":{"type":"string","description":"The name of the token"},"permissions":{"type":"array","items":{"type":"string","enum":["AIRunAsModify","AlertModify","AlertRead","BulkUpload","BulkUploadValidate","CloudsecSourceModify","CloudsecSourceRead","DataAnalyticsModify","DataAnalyticsRead","DestinationModify","DestinationRead","GeneralSettingsModify","GeneralSettingsRead","LogSourceModify","LogSourceRawDataRead","LogSourceRead","LookupModify","LookupRead","ManageAIResponses","ManageAISkills","McpServerModify","McpServerRead","NotificationsSend","OrganizationAPITokenModify","OrganizationAPITokenRead","PolicyModify","PolicyRead","ResourceModify","ResourceRead","RuleModify","RuleRead","RunPantherAI","SummaryRead","UserModify","UserRead","ViewAIPrivateResponses","ViewAISkills"]}},"rotatedAt":{"type":"string","description":"Time when the API token was rotated"},"updatedAt":{"type":"string","description":"Time when the API token was updated"},"updatedBy":{"type":"object","properties":{"id":{"type":"string","enum":["user","api-token","system"]},"type":{"type":"string"}},"description":"The actor who updated the token"},"value":{"type":"string","description":"The API token value, only populated during create and rotate actions"}},"required":["name","permissions","id","createdAt"]},"APITokenAPI.BadRequestError":{"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"APITokenAPI.ForbiddenErr":{"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"APITokenAPI.NotFoundError":{"type":"object","properties":{"message":{"type":"string"}},"required":["message"]}}},"paths":{"/api-tokens/{id}/rotate":{"post":{"tags":["api token"],"summary":"Rotate an api token. If self is provided the current token will be rotated","operationId":"api token#rotate","parameters":[{"name":"id","in":"path","description":"ID of the api token to rotate. Note: if self is provided, the current api token will be rotated","required":true,"schema":{"type":"string","description":"ID of the api token to rotate. Note: if self is provided, the current api token will be rotated"}}],"responses":{"200":{"description":"OK response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/APITokenAPI.APIToken"}}}},"400":{"description":"bad_request: Bad Request response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/APITokenAPI.BadRequestError"}}}},"403":{"description":"forbidden: Forbidden response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/APITokenAPI.ForbiddenErr"}}}},"404":{"description":"not_found: Not Found response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/APITokenAPI.NotFoundError"}}}}}}}}}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.panther.com/panther-developer-workflows/api/rest/api-tokens.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.