Personal Access Tokens
Personal Access Tokens (PATs) are long-lived tokens for programmatic API access. Use them for testing, server-to-server communication, or any scenario where the full OAuth flow isn't practical.
Creating a PAT
Via Dashboard
Go to app.bluenexus.ai > Settings > Sessions and click Create Personal Access Token.
Select the scopes you need and give the token a descriptive name.
Via API
curl -X POST https://api.bluenexus.ai/api/v1/auth/pat \
-H "Authorization: Bearer YOUR_SESSION_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "My CI/CD Token",
"scopes": ["universal-mcp-read-write", "agents-use", "llm-all"],
"expires_in": 2592000
}'
Response:
{
"name": "My CI/CD Token",
"personal_access_token": "eyJhbGciOiJSUzI1NiIs...",
"session_id": "session_abc123",
"expires_in": 2592000
}
Save the token immediately — it's only shown once and cannot be recovered.
Request Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
name |
string | Yes | Descriptive name for the token |
scopes |
string[] | Yes | Scopes the token can access |
expires_in |
number | No | Expiration in seconds. Omit for no expiration |
provider_permissions |
object | No | Per-provider access control (see below) |
default_provider_permission |
string | No | Default permission for new providers |
agent_ids |
string[] | No | Agent IDs the token may access. Omit or null for all agents |
knowledge_base_ids |
string[] | No | Knowledge base IDs the token may access. Omit or null for all KBs |
Provider Permissions
Control which connected services the token can access:
{
"provider_permissions": {
"google": "read-write",
"slack": "read",
"github": "disabled"
},
"default_provider_permission": "read"
}
Values: "read", "read-write", "disabled"
Agent and Knowledge Base Restrictions
Optionally restrict the token to specific agents or knowledge bases:
{
"name": "Restricted CI Token",
"scopes": ["agents-use", "universal-mcp-read-write"],
"agent_ids": ["agent_id_1", "agent_id_2"],
"knowledge_base_ids": ["kb_id_1"]
}
A token with agent_ids set is blocked from the agent REST API for any agent not in the list. Similarly, knowledge_base_ids restricts which knowledge bases are accessible via MCP tools. Omit either field (or set to null) to leave that dimension unrestricted.
Using a PAT
Include the PAT in the Authorization header:
# MCP endpoint
curl -X POST https://api.bluenexus.ai/mcp \
-H "Authorization: Bearer YOUR_PAT" \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"tools/list","params":{},"id":"1"}'
# REST API
curl https://api.bluenexus.ai/api/v1/connections \
-H "Authorization: Bearer YOUR_PAT"
Limitations
- PATs can only be created from a regular authenticated session (not from another PAT)
- The scopes available depend on your account's capabilities
- PATs are tied to your account — they access your data and connections
- Lost tokens cannot be recovered; create a new one
Revoking a PAT
Revoke a PAT by deleting its associated session:
curl -X DELETE https://api.bluenexus.ai/api/v1/auth-sessions/SESSION_ID \
-H "Authorization: Bearer YOUR_SESSION_TOKEN"
Or revoke via the dashboard at Settings > Sessions.
Next Steps
- Scopes & Permissions — What each scope controls
- Token Lifecycle — How tokens expire and refresh