Skip to content

Managing Personal Access Tokens

External applications or programmatic scripts (API clients) integrating with IdentityNow must provide credentials for authentication and authorization. In addition to general-use API keys, users can generate and use personal access tokens for this purpose.

A personal access token is a set of user credentials that an API client can use to connect to SailPoint’s APIs. Tokens improve integration security by replacing the need to store the user's username and password in your client application. For more information about personal access tokens, refer to the SailPoint Developer Community.


API calls made with a user's personal access token must follow the network and trusted geography requirements defined in their identity profile.

Generating a Personal Access Token

Any user can create a personal access token. However, tokens cannot provide permissions beyond those granted by the user's access levels. You can select scopes to further restrict the access granted by the token.

Tokens created by end users may have insufficient permissions to access an endpoint. If a token has insufficient permissions, the call will fail. To resolve this, use a personal access token generated by a user with elevated access.


SailPoint Support and Services accounts that have been granted access to your tenant can create personal access tokens. However, these tokens will automatically be deleted when the tenant access expires.

To create a personal access token

  1. Select Preferences from the dropdown menu under your username.
  2. Select Personal Access Tokens from the left menu and select New Token.


    Each user can have up to 10 personal access tokens.

  3. Specify where this token will be used in the What is this token for? field. This can help you recognize when a token is no longer needed and can be deleted from IdentityNow.

  4. Use the toggles to select the desired scopes. To learn more about scopes, refer to the SailPoint Developer Community.

    If no scopes are selected, the default scope will be assigned. The default scope only grants permission for endpoints that do not require authorization.

    Selecting sp:scopes:all authorizes the personal access token to all scopes granted by the user’s assigned user levels. If a user creates a personal access token with this scope and is later granted another user level, their token will take on the updated permissions.

    Best Practice

    To follow the principle of least privilege, only select scopes that are needed by the application that will use this token.

    Refer to the SailPoint Developer Community for the scopes required for each endpoint. If no scope is listed for the endpoint, select sp:scopes:all.

  5. Select Create Token at the bottom of the window to generate and view the Secret and the Client ID.


    Copy and save the Secret and Client ID values before you close this panel. Otherwise, you will have to delete the token and create a new one since these values cannot be retrieved later.

  6. Save the Secret and Client ID somewhere safe.

You can now use this personal access token. Select the edit icon in the Actions column to edit the description or scope for this token.

Deleting a Personal Access Token


You cannot recover a deleted token, so be sure it’s no longer in use or required before deleting.

  1. Select the delete Delete icon in the Actions column for the token you want to delete.
  2. Select Confirm to confirm the deletion.