Access Tokens
Create and manage Personal Access Tokens for accessing SBOM Observer programmatically.
Access tokens provide a secure method for users and applications to access protected resources without exposing credentials. These tokens represent the authorization granted to a client, enabling secure interactions with resources on behalf of a user or service.
About Personal Access Tokens
SBOM Observer Personal Access Tokens (PATs) provide an alternative to using traditional login credentials for authentication when interacting with the SBOM Observer API.
PATs allow secure access to SBOM Observer resources on your behalf. They're essential for:
- CLI authentication — Use the Observer CLI to upload and analyze SBOMs
- CI/CD pipelines — Integrate SBOM generation into your build workflows
Token Security Best Practices
Handle and share tokens with extreme care. Store them securely and share only with trusted systems. Never commit tokens to version control.
Token Scope and Permissions
When creating a PAT in SBOM Observer, the token's validity is tied to a specific namespace, rather than the entire organization. This means the access and permissions granted by the PAT are limited to the resources and actions available within that particular namespace.
Token Lifetime: Personal Access Tokens remain valid for 1 year from the date of creation. After this period, the token will expire and you'll need to generate a new token.
You can view the expiration dates of all generated tokens in the access tokens list to help track their validity periods.
Future updates will expand with support for multiple namespaces per organization and customizable token permissions.
Creating a Personal Access Token
Navigate to Access Tokens
- Log into SBOM Observer
- Click on your Profile at the bottom left corner
- Select Access Tokens from the menu
Generate the Token
- Click Create Access Token
- Enter a descriptive name for the token (e.g., "CI/CD Pipeline" or "Production CLI")
- Click Create token to generate it
Save Your Token
Save immediately
The token will only be displayed once. Copy and store it securely immediately after creation.
Once you close the dialog, the token will appear in your list of Personal Access Tokens, but the secret value will no longer be visible.
Using Your Token
Set your token as an environment variable and use it with the Observer CLI:
# Set as environment variable
export OBSERVER_TOKEN=your-token-here
# Use with Observer CLI
observer upload my-app.cdx.json
observer analyze my-app.cdx.jsonRevoking a Personal Access Token
If you need to revoke a PAT, follow these steps. Note that revocation is immediate and irreversible — any systems using that token will immediately lose access.
Locate the Token
Find the token in your Personal Access Tokens list
Select It
Click the checkbox next to the token's details
Revoke
Click the Revoke Token button
Confirm
Confirm the permanent revocation when prompted
Revocation is permanent
Revoking a token cannot be undone. Any system or user relying on that token will lose access immediately. Ensure you have alternative authentication methods in place before revoking a PAT.
Next Steps
- Use tokens in CI/CD to automate SBOM operations
- Upload SBOMs via API using your access token
- Observer CLI reference for CLI authentication details