Search In: Doc:Documentation: Altium Developer Center
Altium DesignerAltium 365Altium MCAD CoDesignerAltium On-Prem Enterprise ServerAltium CircuitMakerAltium CircuitStudioCompany DashboardAltium Infrastructure Server
Close
Search Search on Documentation

Tokens

Updated: May 21, 2026

Tokens are credentials used to authorize requests to the Altium 365 API. All API requests must include a valid token in the Authorization header.

Tokens are created in your Workspace under Admin → Developer. Only Workspace administrators can create tokens.

Tokens are shown once. At creation, the token value is displayed once and is never stored or retrievable by Altium. Copy and store it securely.

Token Types

Two types of tokens are available, differing in how they're used and what security trade-offs they make.

Long-lived Access Token

A single credential used directly as the bearer token in API requests. You configure its lifetime at creation – up to 1 year. 

Authorization: Bearer {token}

This is the simpler option: one value, used directly. It works well for scripts, automation, and local development where ease of use matters more than credential rotation.

The main limitation is that the token value doesn't change over its lifetime. If it's exposed, it remains valid until it expires or is manually revoked.

Refresh Token

A more secure option that separates the long-lived credential from the short-lived one used in API requests. At creation, you receive three values:

  • Client ID – identifies the token client

  • Client secret – authenticates the token client

  • Refresh token – the long-lived credential

You exchange these for a short-lived access token by calling the token endpoint. The access token is what you use in API requests. When it expires, you request a new one using the same refresh token.

The refresh token has a configurable lifetime of up to 1 year. The access tokens it produces are short-lived.

This approach is better suited for production integrations:

  • The credential that travels with every API request (the access token) is short-lived

  • The long-lived secret (the refresh token) stays in your secure storage and is never sent to the API directly

See Using a Refresh Token for the token exchange flow.

Choosing a Token Type

 

Long-lived Access Token

Refresh Token

Credential count

1 (access token)

3 (client ID + client secret + refresh token)

API request credential

Token itself

Short-lived access token (via exchange)

Rotation

Manual

Automatic via exchange

Best for

Scripts, local dev, testing

Production integrations

Scopes

Every token is associated with a set of OAuth scopes that define which API operations it can authorize. Scopes are configured when the token is created and cannot be changed afterward.

See OAuth Scopes for the full list of available scopes and how they map to API capabilities.

Token Lifetime

Both token types have a configurable lifetime of up to 1 year, set at creation time. There is no automatic renewal – once a token expires, a new one must be created.

For refresh tokens, the lifetime applies to the refresh token itself. The access tokens it produces have a shorter, fixed lifetime.

Revoking a Token

Tokens can be revoked from Admin → Developer at any time. Revoking a token immediately invalidates it – any API requests using that token will fail with an authorization error.

 

If you find an issue, select the text/image and pressCtrl + Enterto send us your feedback.
Content