Scoped Tokens: Best Practices

Scoped tokens only allow access to what’s needed, reducing risk if credentials are compromised.

Set specific permissions for what each token can do with specific APIs.

Streamline token oversight, especially when working with multiple teams or external partners.

Gain visibility into token usage to better understand API traffic and manage rate limits effectively.

Easily create, manage, and revoke tokens without disrupting other integrations.

Define scopes by selecting only the specific APIs and HTTP methods, like GET, POST, PUT, DELETE that your integration actually requires. If your integration only needs to retrieve data, grant access to the API using only the GET method.

Always start with the minimum level of access needed and only add more permissions if absolutely necessary. Avoid enabling POST, PUT, or DELETE methods unless your integration explicitly requires them.

Give each token a clear, meaningful name, and include a detailed description. This helps your team manage, understand, and audit token usage more effectively.

Make sure each token has a designated technical contact. This person will be responsible for receiving important updates, alerts, or notifications related to API access and integration performance.

Ensure the token is aligned with the version of the API your integration is built to use. This helps maintain compatibility and prevents unexpected errors.

Make a habit of checking how your tokens are being used. You can do this by setting up a dashboard to track token activity or by asking impact.com for usage details. Also, take note of frequent errors in your integration.

Tokens that have more permissions than they need can be dangerous if they’re ever exposed. To prevent this, compare what a token is allowed to do with what it’s actually doing. If it has access it doesn’t need, remove it.

Change token credentials regularly to help keep your system safe. Try to update your tokens every few months—once every quarter is a good rule. When you create a new token, make sure to update your integrations to use the new one.

Give each token a name and description that explains what the token is for and who owns it. Include details like the app or system using it, its purpose, and whether it’s for testing or live use. Also, assign a person on your team to be the main contact for each token in case of any issues.

Old or unused tokens can create security risks. Plan regular clean-ups—once a month or quarter—to go through all tokens. Delete or disable any tokens that are no longer needed.

No. Existing integrations using legacy tokens will continue to function. However, we recommend transitioning to scoped API access tokens for improved security and management.

Legacy tokens are an older type of access token that preceded scoped tokens. Scoped tokens became available on impact.com after May 2025.

Each account can have up to 20 active scoped tokens. Tokens can be deactivated or deleted as needed.

Deactivated tokens will be denied access, returning a 403 "Access Denied" response. This allows for temporary suspension without deleting the token.

If you make a request to an API without a valid scoped access token, you will see a 403 “Access Denied” response.

No, the delete functionality permanently deletes the access token and any assigned permissions. If you deleted the token in error, you will be able to create a new token and select the scopes. Existing integrations will need to be updated to use the new access token credentials.