---
type: reference
title: Troop access tokens
summary: Service credentials scoped to a troop, with the same permissions a member has, for automation that should not use a person's access.
---

A troop access token is a credential for reaching a troop from outside the dashboard (the [API, MCP, or Terraform](/docs/automation/management-api)) without using a person's login. It is the right choice for a CI pipeline, a script, or a service: it acts only within the troops you attach it to, with permissions you choose, and it does not depend on any one employee's account.

It is a kind of `cpt_pat_...` token, but scoped, and distinct from your [personal access token](/docs/account-management/personal-access-token), which is account-wide and master. The contrast is worth keeping straight:

| | Troop access token | Personal access token |
|---|---|---|
| Reach | Only the troops it is attached to, with the granted permissions and scope | Master over your whole account, every troop and key |
| How many | As many as your seats allow | Exactly one per account |
| Cost | Takes a [seat](/docs/troops/seats) | Free |
| Best for | Scoped, least-privilege automation; service and CI access | Your own full-account automation and infrastructure-as-code |

## What a troop token can do

A troop token holds the same [four permissions and the same scope](/docs/troops/permissions) a human member does, set the same way. Grant a CI token **edit** scoped to one key, for instance, and that is all it can touch. It cannot manage members or other tokens unless you grant **manage**, and it never reaches another troop or another account.

## Managing tokens

On the troop's tokens surface (you need the **manage** permission):

- **Issue** a token. Its value is shown **once**, at creation; copy it then, because Caputchin stores only a hash and cannot show it again.
- **Attach** an existing token to the troop, or **detach** it, with its permissions and scope.
- **Rotate** a token to swap its secret in place (the old value stops working immediately), or **revoke** it to disable it.

Each attached token takes one seat from your [pool](/docs/troops/seats). On Apex, issuing, attaching, detaching, rotating, and revoking are all recorded in the [troop audit log](/docs/audit-logs/troop-log).

## See also

- [Personal access token](/docs/account-management/personal-access-token): the account's single master token, free, not seated.
- [Permissions and scope](/docs/troops/permissions): what a token can be granted.
- [Automation](/docs/automation/management-api): using a token with the API, MCP, and Terraform.