» API Tokens

Terraform Cloud supports three distinct types of API tokens with varying levels of access: user, team, and organization. There are differences in access levels and generation workflows for each of these token types, which are outlined below.

API tokens are displayed only once when they are created, and are obfuscated thereafter. If the token is lost, it must be regenerated.

» User API Tokens

API tokens may belong directly to a user. User tokens are the most flexible token type because they inherit permissions from the user they are associated with. For more information on user tokens and how to generate them, see the Users documenatation.

» Team API Tokens

API tokens may belong to a specific team. Team API tokens allow access to the workspaces that the team has access to, without being tied to any specific user.

To manage the API token for a team, go to Organization settings > Teams > (desired team) and use the controls under the "Team API Token" header.

Each team can have one valid API token at a time, and any member of a team can generate or revoke that team's token. When a token is regenerated, the previous token immediately becomes invalid.

Team API tokens are designed for performing API operations on workspaces. They have the same access level to the workspaces the team has access to. For example, if a team has write access to a workspace, the team's token can create runs and configuration versions for that workspace via the API.

Note that the individual members of a team can usually perform actions the team itself cannot, since users can belong to multiple teams, can belong to multiple organizations, and can authenticate with Terraform's atlas backend for running Terraform locally.

If an API token is generated for the "owners" team, then that API token will implicitly inherit all of the same permissions that an organization owner would.

» Organization API Tokens

API tokens may generated for a specific organization. Organization API tokens allow access to the organization-level settings and resources, without being tied to any specific team or user.

To manage the API token for an organization, go to Organization settings > API Token and use the controls under the "Organization Tokens" header.

Each organization can have one valid API token at a time. Only organization owners can generate or revoke an organization's token.

Organization API tokens are designed for creating and configuring workspaces and teams. We don't recommend using them as an all-purpose interface to Terraform Cloud; their purpose is to do some initial setup before delegating a workspace to a team. For more routine interactions with workspaces, use team API tokens.

Organization API tokens have permissions across the entire organization. They can perform all CRUD operations on most resources, but have some limitations; most importantly, they cannot start runs or create configuration versions. Any API endpoints that can't be used with an organization API token include a note like the following:

» Access Levels

The following chart illustrates the various access levels for the supported API token types. Some permissions are implicit based on the token type, others are dependent on the permissions of the associated user, team, or organization.

πŸ”· = Implicit for token type πŸ”Ά = Requires explicit permission

User tokens Team tokens Organization tokens
Users
Manage user settings πŸ”·
Manage user tokens πŸ”·
Workspaces
Read workspace variables πŸ”Ά πŸ”Ά πŸ”·
Write workspace variables πŸ”Ά πŸ”Ά πŸ”·
Plan, apply, upload states πŸ”Ά πŸ”Ά
Force cancel runs πŸ”Ά πŸ”Ά
Create configuration versions πŸ”Ά πŸ”Ά
Create or modify workspaces πŸ”Ά πŸ”Ά πŸ”·
Remote operations πŸ”Ά
Teams
Create teams πŸ”Ά πŸ”·
Modify team πŸ”Ά πŸ”· πŸ”·
Read team πŸ”Ά πŸ”· πŸ”·
Manage team tokens πŸ”Ά πŸ”· πŸ”·
Manage team workspace access πŸ”Ά πŸ”Ά πŸ”·
Manage team membership πŸ”Ά πŸ”· πŸ”·
Organizations
Create or modify organizations πŸ”Ά
Manage organization tokens πŸ”Ά
Sentinel
Manage Sentinel policies πŸ”Ά πŸ”Ά πŸ”·
Manage policy sets πŸ”Ά πŸ”Ά πŸ”·
Override policy checks πŸ”Ά πŸ”Ά πŸ”·
Integrations
Manage VCS connections πŸ”Ά πŸ”Ά πŸ”·
Manage SSH keys πŸ”Ά πŸ”Ά πŸ”·
Modules
Manage Terraform modules πŸ”Ά πŸ”Ά