# create_api_token (/docs/reference/mcp-tools/create_api_token)



{/* Generated by apps/docs/scripts/generate-mcp-pages.mjs — do not edit by hand. */}

Mint a scoped personal access token (secret returned once).

|                     |                    |
| ------------------- | ------------------ |
| Required permission | `tokens:write`     |
| Capability ID       | `apiTokens.create` |
| Destructive         | No                 |

## Parameters [#parameters]

| Parameter   | Type                           | Required | Notes |
| ----------- | ------------------------------ | -------- | ----- |
| `name`      | string                         | yes      |       |
| `type`      | `PAT` \| `MCP`                 | no       |       |
| `scopes`    | array of string                | no       |       |
| `expiresAt` | string (ISO date-time) \| null | no       |       |

## Input schema (JSON Schema) [#input-schema-json-schema]

```json
{
  "type": "object",
  "properties": {
    "name": {
      "type": "string",
      "minLength": 1,
      "maxLength": 120
    },
    "type": {
      "type": "string",
      "enum": [
        "PAT",
        "MCP"
      ],
      "default": "PAT"
    },
    "scopes": {
      "type": "array",
      "items": {
        "type": "string",
        "minLength": 1,
        "maxLength": 120
      },
      "default": []
    },
    "expiresAt": {
      "anyOf": [
        {
          "type": "string",
          "format": "date-time"
        },
        {
          "type": "null"
        }
      ]
    }
  },
  "required": [
    "name"
  ],
  "additionalProperties": false
}
```

## Access control [#access-control]

A call succeeds only when the personal access token's scopes **and** the holder's role both allow `tokens:write` (effective permission = scope ∩ role, default-deny). The tool runs inside the token owner's organization — tenancy is never a parameter.