Creating and revoking API tokens
Programmatic access without exposing your password.
2 min read
API tokens let you script against Vintony without storing your password anywhere. Generate one from /dashboard/account → API tokens → Create token.
Each token has a label (free text), an unguessable secret (32 random bytes, hex-encoded), and a last-four display for identification. We hash the secret on the server; the only time you see the raw value is at creation.
Scope: by default, tokens have full account access. Per-service or per-action scopes are on the roadmap and will be available without invalidating existing tokens.
Revoke tokens from the same panel. Revocation is immediate; any in-flight requests using the token return 401 within ~5 seconds (subject to caching at the edge).
Best practice: one token per integration. Don't share tokens across scripts; rotation gets harder. If a token leaks, revoke and re-issue — no other action is needed.