links.arjun.tv/docs/end-user/api-tokens-and-automations

API Tokens and Automations

Create and manage Personal Access Tokens (PATs) for programmatic access to your handle's data and operations.

Tip

PATs let you automate link creation, analytics queries, and webhook management without a browser session.

Need help deciding between PAT and JWT for a specific endpoint? Start with JWT vs PAT: When to Use Each.

Key concepts

ConceptWhat it means
PAT (Personal Access Token)A long-lived API credential scoped to a specific handle and set of permissions
ScopeA permission grant (e.g., links.read, analytics.*). Each PAT has one or more scopes that limit what it can do
Token formatpatv1_<tokenId>.<secret> — the secret is shown once at creation and cannot be retrieved again
Route familyPATs only work on /v2/public/handles/{handle}/* routes. They cannot access control-plane routes like /v2/handles/*

Available scopes

ScopeWhat it allows
links.readList and read links
links.writeCreate, update, and delete links
analytics.*Query analytics and export data
webhooks.*Create, list, delete, and test webhook subscriptions
files.readList and read files
files.writeUpload and delete files
site.deployments.readList site deployments and fetch deployment preview URLs
site.deployments.writeCreate site deployments (inline HTML and multifile manifests)
pages.readList creator pages for a handle
pages.writeCreate/update/publish page-backed campaign structures
tracking.templates.*Manage tracking templates
chain.signal.writeSubmit chain signals
personalization.*Read personalization rules (write requires JWT)

Note

Use the narrowest scopes possible. A PAT with links.read cannot create links, and a PAT with analytics.* cannot modify webhooks.

Create a PAT

  1. Open API Tokens

    Go to https://app.{PUBLIC_DOMAIN}, navigate to your handle, and open SettingsAPI Tokens.

  2. Create token

    Click Create Token and name it (e.g., ci-analytics-reader).

  3. Select scopes

    Choose the scopes you need.

  4. Copy the secret

    Click Create. The secret is displayed once — copy and store it securely.

Warning

The secret is only shown at creation time. If you lose it, you must create a new token.

Using a PAT

Include the PAT in the Authorization header:

Authorization: Bearer patv1_<tokenId>.<secret>

Or, where supported, use the x-api-key header:

x-api-key: patv1_<tokenId>.<secret>

Examples

List links

curl -sS "https://api.10x.in/v2/public/handles/acme/links" \
  -H "Authorization: Bearer patv1_abc123.secret456"

Query analytics

curl -sS "https://api.10x.in/v2/public/handles/acme/analytics?funnel=true" \
  -H "Authorization: Bearer patv1_abc123.secret456"

Create a link

curl -sS -X PUT "https://api.10x.in/v2/public/handles/acme/links/new-launch" \
  -H "Authorization: Bearer patv1_abc123.secret456" \
  -H "Content-Type: application/json" \
  -d '{"destinationUrl":"https://example.com/launch","title":"New Launch"}'

Manage tokens

List all tokens

curl -sS "https://api.10x.in/v2/handles/{handle}/tokens" \
  -H "Authorization: Bearer <access-token>"

Returns all active tokens for the handle (without secrets).

Revoke a token

Warning

Immediately invalidates the token. Any in-flight requests using this token will fail.

curl -sS -X DELETE "https://api.10x.in/v2/handles/{handle}/tokens/{tokenId}" \
  -H "Authorization: Bearer <access-token>"

Required auth

  • OPERATOR-level JWT or above to create, list, and revoke tokens.
  • The PAT itself authenticates requests on /v2/public/handles/{handle}/* routes.

When PAT is not enough

Use JWT (not PAT) for control-plane actions such as:

  • collaborator management
  • billing and checkout-session management
  • account-domain operations
  • PAT lifecycle endpoints themselves (/v2/handles/{handle}/tokens*)

If you send a PAT to a JWT-only endpoint, expect a role/scope-style auth failure (commonly 403 insufficient_scope).

PAT-accessible endpoints

Endpoint familyRequired scope
/v2/public/handles/{handle}/linkslinks.read or links.write
/v2/public/handles/{handle}/analyticsanalytics.*
/v2/public/handles/{handle}/webhookswebhooks.*
/v2/public/handles/{handle}/filesfiles.read or files.write
/v2/public/handles/{handle}/site-deploymentssite.deployments.read or site.deployments.write
/v2/public/handles/{handle}/site-deployments/{deploymentId}/previewsite.deployments.read
/v2/public/handles/{handle}/pagespages.read
/v2/public/handles/{handle}/site-structure/campaigns/{campaignId}pages.read (GET), pages.write (PUT)
/v2/public/handles/{handle}/site-structure/campaigns/{campaignId}/publishpages.write
/v2/public/handles/{handle}/function-bindingsVaries by binding

Best practices

  1. One token per system

    Give your CI pipeline one token, your dashboard another, and your webhook processor a third. If one is compromised, you can revoke it without affecting the others.

  2. Minimal scopes

    A dashboard that only reads analytics should not have links.write.

  3. Never commit secrets

    Store PATs in environment variables or a secrets manager. Never hardcode them in source files.

  4. Rotate regularly

    Create a new token, update your systems, then revoke the old one.

Common errors
CodeErrorCause
401missing_bearer_tokenNo Authorization header provided
401invalid_tokenToken format is wrong or the secret does not match
403insufficient_scopeToken does not have the required scope for this endpoint
403insufficient_roleCaller does not have OPERATOR or higher role to manage tokens
404not_foundToken does not exist (already revoked or never created)

Related

JWT vs PAT

Choose the right token model for each workflow.

API Auth and Error Model

Auth modes, error handling, and retry logic

API Endpoint Coverage Map

Full endpoint reference

Troubleshooting

Debug common issues