API tokens#
API tokens authenticate package-index API requests, including release uploads
from the sysand client. This page lists the token types, limits, and upload
authorization behavior enforced by Sysand Index.
For the step-by-step token creation workflow, see Create an API token. For trusted publishing OIDC upload tokens, see Trusted publishing.
Token types#
Token type |
Prefix |
Scope |
|---|---|---|
Account API token |
|
Uses the account owner’s permissions. It can upload to existing projects the account can maintain and can create new projects in namespaces where the account is allowed to publish. |
Project API token |
|
Scoped to one existing project. It can upload releases only for that project. |
Trusted publishing upload token |
|
Short-lived token issued by OIDC token exchange for one matched trusted publisher and project. |
The API authentication layer accepts bearer tokens whose value starts with one of those prefixes. Other token prefixes are rejected for package-index API authentication.
Creation limits#
Account and project API tokens use the same creation rules:
Rule |
Value |
|---|---|
Name length |
3-100 characters |
Name characters |
Letters, numbers, spaces, underscores, hyphens, and slashes |
Name boundary |
Must start and end with a letter or number |
Expiration |
1-365 days |
Default expiration |
90 days |
Active-token cap |
5 non-expired account tokens per user, and 5 non-expired project tokens per project by default |
Creation rate limit |
5 token creation attempts per user per hour by default, shared between account and project token creation |
Creating an account or project API token requires recent reauthentication. Stale sessions are sent through the account reauthentication flow before the token creation request is replayed.
Visibility and storage#
The full plaintext token is shown only once, immediately after creation. Sysand Index stores a token hash and a display prefix, not the full plaintext token.
Responses that show a newly created plaintext token are marked Cache-Control: no-store.
Token lists show metadata such as the token name, display prefix, creation time, expiration time, and last-used time where applicable.
Revocation and expiry#
Expired tokens are rejected during API authentication. Revoked account and project tokens are deleted and can no longer be used.
Project API tokens created by a project member are automatically revoked if that member is removed from the project or if the creator account is deleted.
Authentication failures#
API requests fail with 401 Unauthorized when the bearer token is missing,
uses an unsupported prefix, does not match a stored token hash, has expired, or
is a trusted publishing upload token that has already been consumed.
Upload requests fail with 403 Forbidden when the token is valid but is not
authorized for the target namespace or project.