How to Create an API Token (Personal Access Token)

This guide explains how to create Personal Access Tokens (PATs) to connect external tools like AI agents, MCP servers, and automation scripts to your Authn8 account.

What are API Tokens?

API tokens (also called Personal Access Tokens or PATs) allow external tools to access your Authn8 2FA codes programmatically. This is useful for:

  • Connecting AI agents like Claude, Cursor, ChatGPT, or AntiGravity via MCP servers
  • Automating CI/CD pipelines that need 2FA codes
  • Building custom integrations with the Authn8 API
Step 1: Navigate to API Tokens

From the main navigation, go to Settings, then click on API Tokens in the settings menu.

Step 2: Click Create Token

Click the "Create Token" button in the top right corner of the API Tokens page.

Step 3: Configure Your Token

In the modal that appears, fill in the following fields:

  • Name: A friendly label to identify this token (e.g., "MCP Server - Production" or "CI/CD Pipeline")
  • Scoped Groups: Optionally select specific groups to limit which 2FA accounts this token can access. Leave empty to allow access to all groups.
  • Expires At: Optionally set an expiration date. Leave empty for a token that never expires.
Step 4: Copy Your Token

After clicking "Create Token", your new token will be displayed. Copy it immediately as it will not be shown again.

Important: Store your token securely. You will not be able to view the full token again after closing the modal.
Step 5: Use Your Token

Include your token in API requests using the Authorization header:

Authorization: Bearer pat_xxxxxxxxxxxxxxxxxxxxx

For MCP server configuration, you have two options:

Option A: NPM Package (Local Clients)

Best for Claude Desktop, Cursor, AntiGravity, and other local AI clients. Add to your config file:

{
  "mcpServers": {
    "authn8": {
      "command": "npx",
      "args": ["-y", "@authn8/mcp-server"],
      "env": {
        "AUTHN8_API_KEY": "pat_your_token_here"
      }
    }
  }
}
Option B: SSE Server (Remote/Cloud Clients)

Best for ChatGPT and other cloud-based AI agents. Configure with:

  • Server URL: https://api.authn8.com/mcp/sse
  • Authorization Header: Bearer pat_your_token_here
Security Best Practices
  • Use scoped groups: Only grant access to the specific groups an integration needs
  • Set expiration dates: Use short-lived tokens for temporary access or contractors
  • Use descriptive names: Make it easy to identify what each token is used for
  • Revoke unused tokens: Regularly review and revoke tokens that are no longer needed
  • Never share tokens: Each integration should have its own token for proper audit trails
Revoking a Token

To revoke a token, go to the API Tokens page and click the "Revoke" button next to the token you want to disable. The token will stop working immediately.

Related Articles