Skip to content
ProfitOps · PFN Studio PFN Studio

Search is only available in production builds. Try building and previewing the site to test it out locally.

API tokens

API tokens let you authenticate from outside the browser — from the pfnstudio CLI on your workstation, from CI, from a Python script calling the Predict API, or any other HTTP caller.

Where they live

/api-tokens (avatar menu → API tokens).

The page has two cards:

Issue card

  • Token name — a label so you can find it later (e.g. “laptop”, “ci-bot”)
  • Expires in (days) — numeric input; leave blank for no expiry
  • Issue token button

On click, the page mints the token server-side and reveals the plaintext value once, in a gold box with copy buttons:

🔑 Token issued. Keep it secret, you can’t retrieve it again.

pfnstudio_pat_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

[📋 Copy] [📋 Copy as export PFNSTUDIO_TOKEN=…]

If you lose it, revoke and issue a new one. Plaintext is not stored anywhere after this reveal.

Existing tokens table

One row per active token:

  • Name — the label you picked
  • Prefix — first 12 chars (for identification; not the full secret)
  • Scopes — currently a single pat scope; per-scope tokens land in a later release
  • Expires — date or Never
  • Created — date
  • Revoke button — soft-deletes the token immediately (callers using it get 401)

Using a token

CLI

The pfnstudio CLI reads the token from PFNSTUDIO_TOKEN env or --token <pat> flag:

Terminal window
export PFNSTUDIO_TOKEN="pfnstudio_pat_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"


# Push a local prior into a project
pfnstudio push prior ./my-prior.py --project pfnstudio-demo


# Push a model spec
pfnstudio push model ./my-model.yaml --project pfnstudio-demo


# List your runs
pfnstudio runs list --project pfnstudio-demo

HTTP / Python

import requests


resp = requests.post(
    "https://cloud.pfnstudio.com/projects/<id>/runs/v0_1/predict",
    headers={"Authorization": "Bearer pfnstudio_pat_..."},
    json={"context": {...}, "query": {...}},
)

CI

Drop the token in your CI secrets and read it as PFNSTUDIO_TOKEN:

.github/workflows/push.yml
env:
  PFNSTUDIO_TOKEN: ${{ secrets.PFNSTUDIO_TOKEN }}
steps:
  - run: pfnstudio push prior priors/my-prior.py --project pfnstudio-demo

Token lifecycle

EventWhat happens
IssuePlaintext revealed once on the page; hashed copy stored server-side
UseEvery authenticated request validates against the hash + checks expiry
ExpireTokens past their expiresAt date 401 automatically — no manual rotation needed
RevokeSoft-delete; subsequent calls 401

Best practices

  • One token per machine / CI environment — makes revocation surgical
  • Name tokens explicitly“laptop” / “ci-bot-prod” beats unnamed
  • Set expiries — anything > 90 days probably wants a re-issue cadence in your calendar
  • Don’t commit tokens — drop them in .env.local (gitignored) or your CI secrets store
  • Revoke proactively — when a teammate leaves the org, revoke their tokens before downgrading their org membership

Scopes (future)

Tokens currently grant full PAT scope. Per-resource scoping (read-only, single-project, push-only) lands in a later release. Until then, treat a token like a password — anyone with it can act as you within the org.