Issue and revoke tokens
Create, use, and revoke personal access tokens that authenticate the watcher and other Data Hub API clients.
Personal access tokens authenticate the watcher and other API clients. Creating and revoking tokens requires the workspace admin role. Members can view the audit list at Settings → Access Tokens but cannot mint or delete tokens. Roles and scopes: Security and permissions.
Create a token
In the web app
- Sign in as an admin.
- Go to Settings → Access Tokens.
- Click Create token.
- Enter a Name that identifies the client (for example,
FPLC watcher, Lab 201). - Set User to whoever the token acts as. Data Hub attributes write actions, such as claiming a run, to this user. Defaults to you.
- Pick an Expiration: 30 days, 90 days (the default), 1 year, or no expiry.
- Under Scopes, click a preset, or click Customize scopes to pick individual scopes.
- Click Create token.
The plaintext token is shown once: copy it immediately. It starts with dhub_ followed by a 64-character hex string.
Scope presets
A preset selects the minimum scopes a common client needs:
- Read-only: view instruments, runs, files, and watchers; change nothing
- MCP: what an MCP client does, including browse, download, claim, comment, reprocess, and delete runs
- Watcher: what a watcher needs to register, report runs, and upload files
- Lambda: what the processing Lambda needs to write run and file results
You cannot change a token's scopes after creation. To change them, revoke the token and create a new one.
Via the API
Token create/delete are admin-only and session-only (cookie auth). Bearer tokens cannot manage other tokens.
curl -X POST https://datahub.example.com/api/v1/tokens \
-H "Cookie: session_cookie_here" \
-H "Content-Type: application/json" \
-d '{
"name": "FPLC watcher",
"scopes": ["instruments:read", "watchers:report", "runs:create", "runs:upload", "files:update"],
"expires_at": "2027-01-01T00:00:00Z"
}'scopes is required and must be a non-empty list of explicit scopes; the wildcard * is rejected. expires_at is optional; if omitted, the token never expires. The response includes the plaintext once in the token field.
Use a token
With the watcher
During data-hub-watcher init, paste the token when prompted. Or set it first:
export DATA_HUB_API_KEY=dhub_your_token_here
data-hub-watcher initWith an MCP client
{
"mcpServers": {
"data-hub": {
"url": "https://datahub.example.com/api/v1/mcp",
"headers": {
"Authorization": "Bearer dhub_your_token_here"
}
}
}
}See MCP overview for the endpoint. Catalogs for tools, prompts, and resources are stubs until generated docs ship.
With the REST API
curl https://datahub.example.com/api/v1/instruments \
-H "Authorization: Bearer dhub_your_token_here"More in the API overview.
View tokens
Settings → Access Tokens shows name, prefix only (full token is never stored), last used, expiration, and created time.
Revoke a token
- Go to Settings → Access Tokens.
- Delete the token and confirm.
The token is invalidated immediately. Clients using it start receiving 401 Unauthorized.
curl -X DELETE https://datahub.example.com/api/v1/tokens/<token_id> \
-H "Cookie: session_cookie_here"After revoking a token
If a running watcher used that token:
- Create a new token.
- On the instrument PC, re-run
data-hub-watcher initand enter the new token. - Restart the watcher (
data-hub-watcher watchor the Windows service).
Token hygiene
- Name tokens so you can tell which PC or client each belongs to
- Set expirations for temporary setups
- Scope to least privilege; see Token scopes
- Revoke immediately when a watcher is decommissioned or a token may have been exposed
Tokens are hashed with SHA-256 before storage; plaintext is never persisted.