Skip to main content
Personal Access Tokens (PATs) give external tools like AI agents or scripts access to your Spote account without using your password. Each token acts as a long-lived credential that you can create, label, and revoke independently.

When you need a PAT

  • Connecting an AI agent — tools like Claude Desktop or Cursor connect to Spote via the MCP server and require a token to authenticate.
  • Calling the REST API from a script — if you’re building an integration or automation that calls /api/notes or other endpoints, use a PAT to authenticate your requests.

Creating a token

1

Open Settings

Click the gear icon in the top bar to open Settings.
2

Click New token

Click the New token button to open the token creation form.
3

Give the token a label

Enter a descriptive label so you can identify the token later, for example Claude Desktop or My Script.
4

Generate the token

Click Generate. Spote creates the token and displays it on screen.
5

Copy the token immediately

Copy the token now. It starts with spote_ and is shown only once. Spote stores only a hash of the token — the raw value cannot be retrieved after you close this screen.
Your token is shown only once. Store it somewhere safe — you cannot retrieve it later. If you lose it, delete the token and generate a new one.

Using a token

Pass the token as a Bearer token in the Authorization header of your API requests:
curl https://your-spote-app.com/api/notes \
  -H "Authorization: Bearer spote_YOUR_TOKEN_HERE"
All Spote REST API endpoints that require authentication accept this header.

Revoking a token

Go to Settings and find the token you want to remove. Click the delete icon next to it. The token is invalidated immediately — any requests using that token will receive a 401 Unauthorized response.

Security tips

  • Create a separate token for each tool — one for Claude Desktop, one for your scripts, and so on. This way you can revoke a single token without affecting your other integrations.
  • Revoke tokens you no longer use.
  • Never share tokens with others or commit them to version control.