API Tokens
API tokens provide long-lived authentication for server integrations, scripts, and automated workflows. Unlike user tokens, they don't expire automatically.
Creating API Tokens
Via Admin Panel
- Go to Settings > API Tokens in your Pylo admin panel
- Click Create Token
- Enter a name to identify the token's purpose
- Select permissions (see below)
- Click Create
Copy Your Token
The token is only shown once. Copy it immediately and store it securely.
Via API
1
2
3
4
5
6
7
8
9
10
11
12
13
14
mutation {
createPyloApiKey(
input: {
name: "CI/CD Integration"
permissions: ["read", "write"]
}
) {
data {
id
name
token
}
}
}Using API Tokens
Include the token in the pylo-api-key header:
1
2
3
4
curl -X POST https://api.pyloapp.com/graphql \
-H "Content-Type: application/json" \
-H "pylo-api-key: YOUR_API_TOKEN" \
-d '{"query": "{ customerList { data { id name } } }"}'In the Next.js SDK, set the PYLO_API_KEY environment variable and the server client uses it
automatically.
Permissions
API tokens support granular permission levels:
| Permission | Description |
|---|---|
read | Query entities (list and by-ID) |
write | Create, update, and delete entities |
admin | Full access including user management and settings |
Permissions can be combined — for example, a token with ["read", "write"] can query and mutate
data but cannot manage users or app settings.
Principle of least privilege
Always create tokens with the minimum permissions required. A read-only integration should never have write or admin access.
Revoking Tokens
Via Admin Panel
- Go to Settings > API Tokens
- Find the token to revoke
- Click Delete
Via API
1
2
3
4
5
6
7
mutation {
deletePyloApiKey(ids: ["token-id"]) {
data {
success
}
}
}Revoked tokens immediately stop working. Any requests using the token will receive an UNAUTHORIZED
error.