Managing and Revoking Tokens

Security best practices for token management

Learn best practices for managing your Personal Access Tokens securely, including when to revoke and rotate them.

Viewing Your Tokens

Go to Settings > Security to see all your active tokens. You'll see:

  • Token name - The label you gave it
  • Token prefix - First few characters (e.g., "cubes_a8f3...")
  • Permissions - Read or Read/Write
  • Last used - When and from where it was last used
  • Expiration - When it will expire (if set)

When to Revoke a Token

Revoke a token immediately if:

  • You suspect it may have been compromised
  • You no longer use the device or application it was created for
  • An employee with access has left your organization
  • You see unexpected "last used" activity

How to Revoke a Token

  1. Go to Settings > Security
  2. Find the token you want to revoke
  3. Click "Revoke"
  4. Confirm the action
Note: Revoking a token is immediate. Any application or script using that token will immediately lose access.

Security Best Practices

Use Descriptive Names

Name tokens after their purpose so you can identify them later:

  • "MacBook Pro - Personal"
  • "GitHub Actions CI"
  • "VS Code - Work Laptop"

Use Minimum Permissions

Only enable "Write" permission if you need to push. Read-only tokens are safer if you only need to clone or pull.

Set Expiration Dates

For most use cases, set tokens to expire:

  • 30 days - Temporary projects, testing
  • 90 days - Regular development work
  • 1 year - Long-term personal devices
  • Never - Only for trusted, permanent automation

One Token Per Device/Purpose

Create separate tokens for each device or application. This way, if one is compromised, you only revoke that one.

Review Regularly

Check your tokens periodically:

  • Remove tokens for devices you no longer use
  • Check "last used" for suspicious activity
  • Rotate tokens that have been in use for a long time

Token Rotation

Rotating means creating a new token and revoking the old one. Rotate tokens when:

  • A token has been used for an extended period
  • You're updating credentials as a routine security practice
  • You want to change permissions on an existing token

How to Rotate

  1. Create a new token with the same permissions
  2. Update your applications/scripts with the new token
  3. Verify everything works with the new token
  4. Revoke the old token

Token Limits

  • Maximum 50 active tokens per account
  • Token names can be up to 100 characters
  • Tokens are 46 characters long (prefix + random)

Lost Your Token?

For security, we only show the full token once when it's created. If you've lost a token:

  1. Create a new token with the same settings
  2. Update your applications with the new token
  3. Revoke the old token (optional but recommended)

Related Articles

Using Personal Access Tokens Creating a Token Using Tokens in Xcode
Back to Help Center