- Getting started
- Authentication
- Scopes and permissions
- Platform Management APIs

Automation Cloud API guide
Personal Access Tokens
Personal Access Tokens (PATs) allow you to access UiPath services and resources with ease while maintaining a high level of security.
A Personal Access Token is a unique alphanumeric string that serves as a substitute for your credentials when interacting with our APIs and services. Instead of providing your username and password directly, you can generate a Personal Access Token that grants you controlled access to specific UiPath resources.
PATs are only available for local users. They are not available for directory users or SAML.
Using Personal Access Tokens for authentication offers several key benefits:
-
Enhanced security: PATs reduce the risk of exposing your primary credentials, since they're used in place of your username and password.
-
Fine-grained access control: With scopes and permissions, you can precisely define the level of access each token has, allowing you to limit actions to only what's necessary.
-
Expiration date: You can ensure that tokens have a limited validity period by assigning them an expiration date.
Token scopes define the specific actions or resources a token is allowed to access. When creating a token, you are prompted to select the appropriate scopes based on what you intend to do with it. Examples of scopes can include:
-
TM.Defects.Read
-allows performing actions related to reading or accessing defects in Test Manager. -
OR.Folders
- allows reading folder data, creating, modifying, and managing folders in Orchestrator.
When generating a Personal Access Token, you have to select scopes that align with the tasks you intend to perform. You should only request scopes that are necessary for your use case. By minimizing the permissions of a token, you reduce the impact it can have if it becomes compromised, and, as such, you enhance security.
To select appropriate scopes:
-
Determine the tasks you need the token to perform, such as reading folders data or managing folders.
-
Consult the list of available scopes and their descriptions in the token generation process.
-
Choose the smallest set of scopes that will allow your token to accomplish tasks effectively.
In scenarios where you need to maintain the same level of access, but wish to refresh your token, you can consider regenerating a Personal Access Token. Regeneration creates a new token with identical scopes and permissions as the original. However, make sure to update any scripts,, applications, or integrations that use the old token with the new one.
Regeneration is only applicable to tokens that have not yet expired. Once a token has expired, it cannot be regenerated.
Orchestrator's caching mechanism stores PATs for an hour. Consequently, revoked tokens may still access Orchestrator resources for up to an extra hour until the cache expires.