API tokens
Creating, scoping, rotating, and revoking tokens for programmatic access.
API tokens let you read your DevUpdate.io data programmatically — for custom dashboards, CI integrations, or the MCP server.
Creating a token #
From Settings → API tokens:
- Click Create token.
- Give it a descriptive name (e.g.
cursor-mcp,ci-deploy-gate,personal-laptop). The name is visible only to you and helps you identify which token to revoke later. - Copy the token value immediately — it's only shown once.
The token value is shown exactly one time. After you close the dialog you cannot retrieve it again — you'll have to revoke and create a new one. Store it in your password manager or your shell's secret store at creation time.
Using a token #
Pass the token in the Authorization header:
Authorization: Bearer <token>
The same token works for the REST API and the MCP server — no separate provisioning needed.
Scope #
Tokens are per-user and inherit your account permissions:
- Solo accounts: access to your sources, lockfiles, and pulse feed.
- Team accounts: access to team-scoped data based on your team role. A token issued by a team member can read team sources; a member-role token can't manage members or billing.
There are no per-token scoping toggles today (e.g. read-only vs. admin) — the token has the same capabilities your user does.
Rotating #
Best practice: create a replacement token first, swap your client to the new value, verify it works, then revoke the old one. This avoids any window of brokenness during rotation.
Revoking #
From the same settings page, click Revoke next to the token name. The token stops working immediately — there's no grace period. Anyone or anything still using it will start getting 401s on the next request.