Caputchin
Troops

Troop access tokens

View as Markdown

A troop access token is a credential for reaching a troop from outside the dashboard (the API, MCP, or Terraform) without using a person's login. It is the right choice for a CI pipeline, a script, or a service: it acts only within the troops you attach it to, with permissions you choose, and it does not depend on any one employee's account.

It is a kind of cpt_pat_... token, but scoped, and distinct from your personal access token, which is account-wide and master. The contrast is worth keeping straight:

Troop access tokenPersonal access token
ReachOnly the troops it is attached to, with the granted permissions and scopeMaster over your whole account, every troop and key
How manyAs many as your seats allowExactly one per account
CostTakes a seatFree
Best forScoped, least-privilege automation; service and CI accessYour own full-account automation and infrastructure-as-code

What a troop token can do

A troop token holds the same four permissions and the same scope a human member does, set the same way. Grant a CI token edit scoped to one key, for instance, and that is all it can touch. It cannot manage members or other tokens unless you grant manage, and it never reaches another troop or another account.

Managing tokens

On the troop's tokens surface (you need the manage permission):

  • Issue a token. Its value is shown once, at creation; copy it then, because Caputchin stores only a hash and cannot show it again.
  • Attach an existing token to the troop, or detach it, with its permissions and scope.
  • Rotate a token to swap its secret in place (the old value stops working immediately), or revoke it to disable it.

Each attached token takes one seat from your pool. On Apex, issuing, attaching, detaching, rotating, and revoking are all recorded in the troop audit log.

See also

Seats

Previous

Troop overrides

Next

On this page

What a troop token can doManaging tokensSee also