Access Tokens

Access Tokens are currently in Beta · Send feedback.

Access tokens are personal secrets that allow you to interact with Gitpod programmatically through the Gitpod CLI. When you use an access token with Gitpod, all performed actions assume the authorization of the user who created the token.

Permissions (Scopes)

Each Access Token either has:

  • No Access.
  • Full Access to Resources and APIs which the token owner also has access to.

By default, an Access Token has No Access. You need to explicitly select Full Access to successfully authorize.

In the future, we will expand Access Tokens with fine grained permissions.


All Access Tokens have an expiration time. When a token expires, requests made with the token will fail with Unauthorized. When a token expires, you can regenerate it.

Managing Access Tokens

Listing Access Tokens

You can list your Access Tokens in your user Settings, or by going to

Creating an Access Token

You can create an Access Token by navigating to or through Settings > Access Tokens. Clicking New Access Token will prompt you to specify details of the token.

  • Your access tokens will automatically expire after the specified duration.
  • Once you create an Access Token, it will be shown to you once. Make sure you store it in a secure place, you will not be able to retrieve it again.

Updating an Access Token

Access Token can be updated. You can update the following properties on a token:

  • Name
  • Permission scopes

When you update a token, the token secret remains unaffected and you can continue to use it, until it expires.

Regenerating Access Tokens

Access Token can be regenerated. Regenerating a token will:

  • Create a new token secret, which you’ll need to store in a secure place and replace your old one.
  • The new token will have a new expiration time.
  • The old token will no longer be valid and will receive Unauthorized when interacting with APIs.

Deleting Access Tokens

Personal Access token can be deleted. Once deleted, the token is no longer valid for interaction with APIs.

Was this helpful?