API and Integrations: Creating and Managing Your API Access Tokens

API access tokens let external tools (dashboards, scripts, partner systems) talk to your RapidPro.app workspace without using your password. Each user can create up to 3 personal tokens and use them in integrations. You can create, rotate, and delete these tokens at any time to control access
Reading time
5–6 min read
Category
Getting Started
Scope
Updated on: 17/12/2025

Create an API token in minutes

If you already know what API tokens are and just need the fast path, follow this:

  1. Open Workspace settings → API Token
  2. Click Create token and reveal the token value
  3. Copy the token value and store it securely
  4. Paste the token into your external app and test the integration
  5. Keep in mind the maximum of 3 tokens per user
  6. Rotate or delete tokens you no longer need

You’re done. Your external tool can now authenticate using your token (without your password).

Step-by-Step Process

1
Open the API Token page
  1. Log in to your RapidPro.app workspace.
  2. In the left sidebar, click the Settings gear icon to open Workspace settings.
  3. In the settings menu, click API Token.

[CAPTURE: Workspace sidebar showing the Settings (gear) icon and the “API Token” item selected.]

💡
Tip: If you manage multiple workspaces (demo vs production), confirm the workspace name before creating tokens.

2
Create a new token and copy it safely
  1. On the API Token page, click Create token (or New token).
  2. A new token value appears (a long string of letters and numbers).
  3. Copy the full token immediately and store it in a secure place (password manager / secrets manager).
  4. Paste the token into your external tool configuration and test the integration.

[CAPTURE: API Token page after clicking “Create token”, showing the new token value on screen.]

⚠️
Warning: Treat tokens like passwords. Anyone who has the token can authenticate to the API as you. Don’t paste tokens into chat, email, or public documents.
⚙️
Technical Detail: API tokens are bearer tokens. Requests that include the token are considered authenticated—so token secrecy is critical.

3
Understand the “maximum of 3 tokens” limit
  1. Review your existing tokens on the page (up to 3).
  2. Plan which integration uses which token (recommended: one token per integration).
  3. When you reach the limit, you must delete one token to create another.

[CAPTURE: Token list showing the “maximum of 3” note and multiple token rows.]

💡
Tip: Since tokens may not have labels/timestamps in the UI, keep a small internal mapping (e.g., “Token A → Reporting”, “Token B → Partner system”).

4
Delete or rotate tokens safely
  1. To delete a token, click the trash/delete icon next to it and confirm.
  2. To rotate a token (replace it):
    • Create a new token (or delete one first if you’re at the 3-token limit).
    • Update your external tool to use the new token.
    • Test the integration.
    • Delete the old token once you’re sure the new one works.

[CAPTURE: Token list with the delete icon highlighted, plus a confirmation dialog.]

⚠️
Warning: Deleting a token invalidates it immediately. Any integration still using it will start failing with authentication errors.

5
Follow token security best practices
  1. Store tokens in a password manager, encrypted environment variables, or a secrets manager.
  2. Rotate tokens when staff leave, when you suspect exposure, or on a periodic schedule.
  3. Use different tokens for different tools (within the 3-token limit).
  4. Avoid embedding tokens in screenshots, repositories, or shared docs.

[CAPTURE: A short “security note” area or token instructions visible on the API Token page.]

💡
Tip: Think of tokens as keys. With only 3 keys per user, assign them intentionally (reporting, partner, internal automation) and document that mapping internally.

Common Issues & Quick Fixes

Problem: I lost my token value and can’t view it again.

Fix: Delete the unusable token (so you don’t keep a “ghost” token), then create a new token and store it securely right away. Update your integration with the new token.

Problem: I hit the limit: “You can have a maximum of 3 tokens”.

Fix: Delete one token you no longer need (or one you can safely rotate), then click Create token again. Update the relevant integration with the new token.

Problem: An integration stopped working after I deleted a token.

Fix: Create a new token, update the failing tool/script with the new value, and test again. If possible, confirm which token the integration was using.

Problem: I don’t know which token is used by which integration.

Fix: Check each tool (dashboard/script/partner config) to see which token it uses, then create a simple internal mapping so future rotations are easy.

Problem: I think a token was exposed (chat/email/screenshot/repo).

Fix: Create a new token, update the affected integration, then delete the exposed token. If the exposure was public, assume it is compromised.

Related Resources
Settings Overview: The Core of Your Workspace
User Management: Adding and Managing Team Roles
Secure Your Account: Enabling Two-Factor Authentication (2FA)