Skip to main content
A workspace is an isolated namespace that contains all the tokens, API keys, members, and audit logs for your team. Everything within a workspace is scoped to that workspace — tokens created in one workspace are never visible in another. You manage all workspace-level configuration from the Settings section of the Tooken dashboard.
Workspaces are fully isolated from one another. A token created in your production workspace cannot be seen, used, or revoked from a staging workspace, even within the same account.

General

The General tab under Settings controls your workspace’s identity and localization:
  • Workspace name — The display name shown across the dashboard and in email notifications.
  • Slug — A URL-safe identifier used in API paths and shared links (e.g., my-team). Changing the slug updates all API paths that include it.
  • Timezone — The timezone used to display timestamps in the dashboard and audit logs. This does not affect how timestamps are stored (all timestamps are stored in UTC).
Save changes by clicking Save changes at the bottom of the form.

API keys

The API Keys tab lets you create and manage the keys used to authenticate requests to the Tooken API. All API keys follow the format tok_live_xxxxxxxxxxxxxxxxxxxx. Tooken supports two kinds of API keys:
  • Personal API keys — Scoped to your user account. Use these for local development or personal scripts.
  • Team API keys — Shared across the workspace. Use these for CI/CD pipelines or server-side integrations.
From the API Keys tab you can:
  • Create a key — Click New API Key, enter a name, and click Generate. Copy the key immediately — Tooken shows the full key only once.
  • View keys — See all active keys, their names, creation dates, and last-used timestamps.
  • Regenerate a key — Click Regenerate next to an existing key to invalidate the current secret and generate a new one with the same name and permissions.
  • Delete a key — Click Delete to permanently revoke a key. Any requests using that key will immediately start receiving 401 Unauthorized responses.
Tooken does not store API key secrets after they are generated. If you lose a key, you must regenerate or delete it and create a new one.

Members

The Members tab lets you invite collaborators to your workspace and control what they can do.

Member roles

Each workspace member has one of three roles:
RoleCan create tokensCan revoke tokensCan manage settings
Owner
Admin
Viewer
A workspace has exactly one Owner. Ownership can be transferred to another member from the Members tab, but the current Owner must initiate the transfer.

Invite a team member

1

Open Members settings

In the Tooken dashboard, click Settings in the left sidebar, then select the Members tab.
2

Click Invite

Click the Invite member button in the top-right corner of the Members table.
3

Enter the member's email address

Type the email address of the person you want to invite. The invitation is tied to this address — they must sign in with the same address to accept it.
4

Assign a role

Select a role from the dropdown: Owner, Admin, or Viewer. See the table above for what each role can do.
5

Send the invite

Click Send Invite. Tooken sends an email with an acceptance link. The invite expires after 72 hours. You can resend or cancel pending invites from the Pending invites section.
Use separate workspaces for your production and staging environments rather than sharing a single workspace. This keeps production tokens isolated from test tokens and gives you independent audit logs for each environment.

Default expiration

The Default expiration setting controls the expiration window automatically applied to every new token created in the workspace. When a developer creates a token without specifying an explicit expiration, Tooken uses this workspace default. The default is 90 days. You can change it to any value from 1 day to 365 days, or set it to Never to issue non-expiring tokens by default.
Individual tokens can always override the workspace default at creation time. The workspace default only applies when no explicit expiration is provided.

Audit log retention

Tooken records every significant action taken in your workspace — token creation, revocation, rotation, member changes, and settings updates — in the audit log. The Audit log retention setting controls how long these records are kept before they are permanently deleted. The default retention period is 90 days. You can extend this up to 365 days from the Settings → General tab.
The audit log captures the following event types:
  • Token created, revoked, rotated, or expired
  • API key created, regenerated, or deleted
  • Member invited, role changed, or removed
  • Webhook created, updated, or deleted
  • Workspace settings changed (name, slug, timezone, expiration policy, retention policy)
Each entry includes the actor’s user ID, the timestamp (UTC), and relevant metadata about the action.
Yes. From Settings → Audit Logs, click Export to download a CSV of log entries for a selected date range. You can also retrieve audit log entries programmatically using the GET /audit-logs endpoint with your API key.
Only Owner and Admin role members can view audit logs. Viewers do not have access to the audit log tab.