Moderne tokens

There are three types of tokens used throughout the Moderne Platform:

In this doc, you can find detailed information about each of these.

The tokens described in this doc have the same permissions as everyone in the user roles doc. They do not have administrator permissions.

Login token

When a user logs in to the Moderne Platform, a JWT is created for them by Keycloak. This token is then used by the UI to authenticate against various Moderne APIs for things like displaying recipe categories.

This token is not used for accessing or viewing source code. That is done via the SCM Token

Users can find this token by clicking on the GraphQL icon in the top middle of the Moderne Platform once they are logged in:

From there, at the bottom of the GraphQL Explorer, there is a request headers tag that includes this token:

This token can be used to make general GraphQL API calls. Please note, though, that it is preferable to create a Personal Access Token for interacting with the APIs as Personal Access Tokens do not expire.


This token is used in combination with an Identity Provider (IDP) to determine access for users. The IDP configuration maps specific users to specific permissions in Moderne (such as an admin role).

What this means is that the JWT itself does not have a concept of a "role". Rather, a user must be configured as an admin in the IDP in order for them to have admin permissions in Moderne (which grants access to things like agent configurations, repositories, and audit logs). Likewise, if a user has their admin permissions revoked in the IDP, the token can not be used for admin related functionality in Moderne.


Login tokens expire after one hour.

Personal Access Tokens

Personal access tokens are used to make queries against the Moderne GraphQL API.


These tokens do not have a role associated with them. That means that users can't do things like view agent configurations, delete repositories, or view the audit logs. These tokens are, effectively, the same thing as a login token for users who are not admins.


Personal access tokens do not expire. If you want to revoke them, please follow these instructions.

Further reading

For instructions on how to create, view, or revoke personal access tokens, please read the Personal Access Token doc.

Source Code Management (SCM) OAuth token

In order for users to see or interact with source code, an SCM token needs to be created. These tokens are created when a user clicks on one of the SCM logos in the top right corner of the screen OR when an action is performed that requires this token such as viewing a diff or committing code.

These SCM OAuth tokens are stored in association with a user, so if a user logs out and logs back in, that token remains until it expires.

If an SCM token is currently valid, a user can use their Personal Access Token or JWT to interact with the SCM.


SCM tokens will have different permissions depending on the source code manager used and what the user has allowed or not.


SCM tokens expire after 8 hours.

Last updated