POST/v1/api_tokens
api_tokens.create
Mints a new bearer token. **The raw `token` value is shown exactly once in this response** — store it securely. There is no recovery path; the database keeps only an HMAC-pepper-hashed digest (workers/api never sees the plaintext after this response). Subsequent reads of this row return only the canonical fields (id, name, prefix, scope, timestamps), never `token`. Mirrors GitHub PAT and Stripe restricted-key UX. To rotate: create a new token, update your integration, then DELETE the old one.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| Idempotency-Key | string | optional | Optional client-supplied key for at-most-once semantics. The first request with a given key is processed; subsequent requests with the same key replay the cached response for 24h. |
Request body
No parameters.
Response
No parameters.
Examples
curl -sS -X POST \
-H "Authorization: Bearer $CULPRIT_API_TOKEN" \
-H "content-type: application/json" \
-d '{ /* … */ }' \
https://api.theculprit.ai/v1/api_tokensTry it
Stored locally in your browser at localStorage.docs.tryit.token. Never sent to Culprit's analytics. Use a read-only token.