Personal Access Tokens are currently in closed beta and are feature-flagged. Contact support to request access. PATs are not available for SSO/enterprise accounts.
Overview
Personal Access Tokens (PATs) allow human users to authenticate programmatically under their own identity. Unlike service user API keys (which authenticate as a non-human service user), a PAT authenticates as you — the human user who created the token.| Token type | Authenticates as | Identity | Permissions |
|---|---|---|---|
| Service User API Key | Service User (non-human) | The service user’s identity | The service user’s assigned role |
| Personal Access Token | User (human) | Your user identity | Your permissions and org memberships |
cog_ prefix format. Both token types are used identically in the Authorization header:
When to use PATs
PATs are designed for scenarios where you need programmatic API access as yourself:- Personal scripts and tooling — automate your own workflows without a shared service user
- Local development — test API integrations using your own account
- Short-lived automation — one-off scripts that should be attributed to you
How it works
- Generate a PAT in your account settings
- The token starts with
cog_and is shown only once at creation time - Use the token in the
Authorizationheader — exactly like a service user API key - Every API call authenticates as your user account — your permissions, org memberships, and audit trail apply
Key differences from service user API keys
| Aspect | Service User API Key | Personal Access Token |
|---|---|---|
| Identity | Non-human service user | Your human user account |
| Permissions | Controlled by assigned RBAC role | Inherits your existing permissions |
| Audit trail | Actions attributed to service user | Actions attributed to you |
| Key management | Managed by org/enterprise admins | Managed by you personally |
| Use case | Production automation, CI/CD | Personal scripts, local tooling |
| Availability | Generally available | Closed beta |
Limitations
- Closed beta: PATs require a feature flag to be enabled for your account
- Not available for SSO/enterprise accounts: Currently limited to non-SSO accounts
- Personal scope: PATs are tied to your individual account and cannot be shared
Security considerations
- Treat PATs with the same care as passwords — they provide full access to your account
- Store PATs in environment variables or secret managers, never in source code
- Revoke PATs immediately if compromised
- Use the minimum scope necessary for your use case
- Prefer service user API keys for any shared or production automation
Next steps
- Authentication overview — understand the full auth model
- Teams quick start — get started with service users