> ## Documentation Index
> Fetch the complete documentation index at: https://docs.spote.cloud/llms.txt
> Use this file to discover all available pages before exploring further.

# Create and manage Personal Access Tokens

> Personal Access Tokens let AI agents and scripts authenticate with Spote. Create and revoke tokens independently per integration from the Settings page.

Personal Access Tokens (PATs) give external tools like AI agents or scripts access to your Spote account without using your password. Each token acts as a long-lived credential that you can create, label, and revoke independently.

## When you need a PAT

* **Connecting an AI agent** — tools like Claude Desktop or Cursor connect to Spote via the MCP server and require a token to authenticate.
* **Calling the REST API from a script** — if you're building an integration or automation that calls `/api/notes` or other endpoints, use a PAT to authenticate your requests.

## Creating a token

<Steps>
  <Step title="Open Settings">
    Click the gear icon in the top bar to open **Settings**.
  </Step>

  <Step title="Click New token">
    Click the **New token** button to open the token creation form.
  </Step>

  <Step title="Give the token a label">
    Enter a descriptive label so you can identify the token later, for example `Claude Desktop` or `My Script`.
  </Step>

  <Step title="Generate the token">
    Click **Generate**. Spote creates the token and displays it on screen.
  </Step>

  <Step title="Copy the token immediately">
    Copy the token now. It starts with `spote_` and is shown **only once**. Spote stores only a hash of the token — the raw value cannot be retrieved after you close this screen.

    <Warning>
      Your token is shown only once. Store it somewhere safe — you cannot retrieve it later. If you lose it, delete the token and generate a new one.
    </Warning>
  </Step>
</Steps>

## Using a token

Pass the token as a Bearer token in the `Authorization` header of your API requests:

```bash theme={null}
curl https://your-spote-app.com/api/notes \
  -H "Authorization: Bearer spote_YOUR_TOKEN_HERE"
```

All Spote REST API endpoints that require authentication accept this header.

## Revoking a token

Go to **Settings** and find the token you want to remove. Click the delete icon next to it. The token is invalidated immediately — any requests using that token will receive a `401 Unauthorized` response.

## Security tips

<Tip>
  * Create a separate token for each tool — one for Claude Desktop, one for your scripts, and so on. This way you can revoke a single token without affecting your other integrations.
  * Revoke tokens you no longer use.
  * Never share tokens with others or commit them to version control.
</Tip>
