Personal access token
A personal access token (a cpt_pat_... value) is how you reach Caputchin from outside the dashboard: the HTTP API, the MCP server, and the Terraform provider all authenticate with it as a Bearer token. Your account has exactly one, it is free, and you manage it from account settings.
It is distinct from a site key's secret (cpt_sec_...), which is only for runtime verification. The personal access token is for managing your account; the site secret is for checking a single key's tokens. They have very different blast radii, so treat the personal access token with more care.
What it can do
The personal access token carries your own full access. It is the master credential for your account, so anything you can do in the dashboard, it can do over the API, MCP, or Terraform:
- Create, rename, and delete troops.
- Manage members and their permissions in any of your troops.
- Create, configure, and delete site keys, and rotate their secrets.
- Configure hosted verification, game customization, and security.
- Mint, rotate, and revoke other tokens, including troop access tokens.
- View seats and account-level settings.
What it cannot do
- Billing. Plan changes, payment, and cancellation are dashboard-only and are never exposed to any token. See billing.
- Reach another account. It only ever acts within your own account; it cannot touch resources you do not own.
- Survive revocation. Once revoked or rotated, the old value stops authenticating on its next use.
Stronger than a troop access token
There are two kinds of token, and the personal access token is the more powerful:
| Personal access token | Troop access token | |
|---|---|---|
| Scope | Master over the whole account, every troop and every site | Only the specific troops it is attached to, with the permissions granted there |
| How many | Exactly one per account | As many as your seats allow |
| Cost | Free | Takes a seat from your pool |
| Can mint other tokens | Yes | No |
| Best for | Your own automation and infrastructure-as-code over the whole account | Giving a teammate or a service scoped, least-privilege access to certain troops |
Reach for a troop access token when you want to grant narrow, least-privilege access; reach for the personal access token when you are automating your own account end to end. Troop access tokens are covered under troops.
Managing it
You mint, rotate, and revoke the token from account settings:
- Mint creates the token. Its value is shown once, at creation; copy it then, because Caputchin stores only a hash and can never show it again.
- Rotate swaps the secret in place. The id and name stay the same; the old value stops working immediately, so update wherever you use it.
- Revoke disables it. The next request with the old value fails.
Tracing its use in the audit logs
On the Apex plan, every action the token takes is on the audit logs, attributed to the token by name (not to a browser session), so you can tell automation apart from a person.
- The token's own lifecycle (mint, rotate, revoke) is on the account log as
account.pat.mint,account.pat.rotate, andaccount.pat.revoke. - Anything the token then does is recorded on the level it touched, with the token as the actor: troop changes on the troop log, site-key changes on the site-key log.
In any log, filter the actor to personal access tokens (or search the token's name) to see exactly what it did, and turn on denied attempts to catch anything it tried but was not allowed to do.
See also
- Account settings: where you mint, rotate, and revoke it.
- Automation: using the token with the API, MCP, and Terraform.
- Audit logs: tracing what the token did.