Admin Tokens
Admin tokens let automation call the AISIX Cloud Admin API without a browser session.
They are intended for organization-level workflows such as CI pipelines, infrastructure automation, or internal tools that manage control-plane resources. They are not caller API keys for gateway traffic or upstream provider keys for model access.
An admin token belongs to one organization. The control plane uses that organization binding when it authenticates the request, so API calls do not need a separate organization header.
Create an Admin Token
Only organization owners can create or revoke admin tokens.
- Open Admin tokens.
- Select New token.
- Enter a unique name.
- Choose an expiration.
- Select one or more scopes.
- Create the token and copy the plaintext value before leaving the one-time view.
The control plane stores only a SHA-256 digest of the token. If you lose the plaintext value, revoke the token and create a replacement.
Choose Scopes
Admin token scopes control which API methods the token can use:
| Scope | Allows |
|---|---|
read | GET requests on AISIX Cloud Admin API routes. |
write | POST, PATCH, and DELETE requests on AISIX Cloud Admin API routes. |
scim | The SCIM directory sync endpoints under /scim/v2, and nothing else. |
Use read for inventory or reporting jobs. Use write only when automation needs to create, update, or delete control-plane resources.
The scim scope is exclusive. A SCIM token cannot carry other scopes and is rejected on every non-SCIM route, so the credential configured into your identity provider cannot read or change gateway resources.
Use an Admin Token
Send the token as a bearer token:
curl -sS "https://<your-cp-api-host>/api/environments" \
-H "Authorization: Bearer ${AISIX_ADMIN_TOKEN}"
Use the Cloud Admin API Reference for routes currently covered by the OpenAPI specification. Some workflow docs also include task-specific API examples, such as Members for creating a directly managed member for API key ownership.
Rotate or Revoke Tokens
Admin token plaintext is not recoverable after creation. To rotate a token, create a replacement token, update the automation that uses it, verify the automation succeeds, and then revoke the old token.
Revoking a token takes effect immediately. Any automation still using that token receives authentication errors until it is updated.
Next Steps
Continue with Members to add dashboard users or API key owners to an organization. For identity-provider provisioning, see SCIM Directory Sync.