# Token Access & Management

SeaLights utilizes tokens for various functionalities, including browser extension, API access, and agent communication.&#x20;

{% hint style="info" %}

* There is no Public API to create, update, or delete Tokens.
* All Tokens are revocable and rotated by users with relevant permissions at any time, according to the Organization’s policies.
  {% endhint %}

### **Token Types**

SeaLights employs three types of tokens:  &#x20;

* **Browser Extension Tokens:** Used for browser extension and related functionalities.
* **API Tokens:** Used for SeaLights Public API access.  &#x20;
* **Agent Tokens:** Used for SeaLights agent communication.

***

## **Browser Extension Tokens**

**Purpose:** Used for [SeaLights browser extension ](https://chromewebstore.google.com/detail/sealights/ldcbjefiplkmggapdfbpeemhihkgdmik?hl=en)and related functionalities: displaying SeaLights metrics in your SCM's UI and reporting manual tests.

### &#x20;Token Access

Browser extension tokens are **user-based**.

* Browser extension tokens are linked to the user who created them.&#x20;
* These tokens inherit the creator's group access at the time of **using** the token, granting access to applications within the creator's groups.
* Legacy extension tokens have global access (access to all applications).

### Token Management

* Each user can have only one browser extension tokens.
  * The Create New Token button is disabled if a non-legacy token already exists.
* Users can view, copy, download, refresh, and delete their own browser extension token.
* Legacy token are only visible to Admin/DevOps users, and their actions (copy, download, refresh) are disabled&#x20;
* If the token creator is deactivated or deleted, the extension token is automatically deactivated or deleted.

<details>

<summary>Token List &#x26; Token Creation</summary>

* Open the SeaLights Settings page, from the Settings button on the top right. \
  ![](/files/ruInsxABLXKElq2vjIGO)
* Go to **Browser Extension Tokes** on the side menu, under **Integration**.&#x20;
* Press **Create New Token** button, provide a name to your token and save.&#x20;
* Refresh the page and press **Copy Token** button on the newly created token and use it according to the specific SeaLights integration requirements.\
  ![](/files/UWmcZu4tQhd84YX5wLSp)

</details>

***

## **API Tokens**

**Purpose:** Used for authentication in SeaLights public API.

### Token Access

API tokens are **group-based**.

* API tokens are linked to specific user groups, granting access to applications within those groups.
* The user groups are linked to the token automatically or by user selection, at the time of **creating** the token or updating it.
* Legacy extension tokens have global access (access to all applications).
* New tokens can also have global access.&#x20;

### Token Management

* Only Admin/DevOps users can access the API token page.
* Tokens with **Global Access** can be viewed by:
  * All Admin/DevOps users, in case this is a **legacy** token.
  * Admin/DevOps users with permission for manage Users and Permissions, in case this is a non-legacy token with Global Access.&#x20;
* Admin/DevOps users can view only API tokens with access to groups they are authorized to view:
  * Admin/DevOps users must be assigned to all groups the token has access to, in order to view the token.
    * Example 1: Token with access to groups **A** and **B**, **can be viewed** by an Admin/DevOps user that is assigned to groups **A**, **B**, **C**.
    * Example 2: Token with access to groups **A** and **D**, **cannot be viewed** by an Admin/DevOps user that is assigned to groups **A**, **B**, **C**.
  * Admin/DevOps users with permission for manage Users and Permissions can view all tokens, even if they are not assigned to groups.
* Admin/DevOps users can copy, download, and refresh tokens based on their group authorization.
* Admin/DevOps users with permission for manage Users and Permissions **will not be able** to copy / download / refresh, if not assigned to all the groups a token has access to.
* Admin/DevOps users that are able to view a specific token with Global Access can also copy / download / refresh the token.
* Admin/DevOps users can disable/enable tokens.
* Deletion is only possible after disabling.
* Admin/DevOps users can add groups to existing tokens if additional groups are available. There is no option to remove a group that was already added.

{% hint style="warning" %}
Creating a token does not provide access to this token forever. The creator of a token can view a token as long as his/her assigned groups are aligned with the groups the token has access to.
{% endhint %}

<details>

<summary>Token List &#x26; Token Creation</summary>

* Open the SeaLights Settings page, from the Settings button on the top right. |\
  ![](/files/ruInsxABLXKElq2vjIGO)
* Go to **API Token** on the side menu, under **Integration**. Cockpit & Onboarding
* Press **Create New Token** button, provide a name to your token and save, and select access level, if required.&#x20;
* Press **Copy Token** button and use it according to the specific SeaLights integration requirements.
* Alternatively press **Download Token** button and use the *sltoken.txt* file downloaded according to your integration requirements.

</details>

***

## **Agent Tokens**

**Purpose:** Used for authentication by SeaLights Agents.

### Token Access

Agent tokens are **group-based**.

* Agent tokens are linked to specific user groups, granting access to applications within those groups.
* The user groups are linked to the token automatically or by user selection, at the time of **creating** the token or updating it.
* Legacy extension tokens have global access (access to all applications).
* New tokens can also have global access.&#x20;

### Token Management

* Only DevOps users can access the Agent token page.
* Tokens with **Global Access** can be viewed by:
  * All DevOps users, in case this is a **legacy** token.
  * DevOps users with permission for manage Users and Permissions, in case this is a non-legacy token with Global Access.&#x20;
* DevOps users can view only Agent tokens with access to groups they are authorized to view:
  * DevOps users must be assigned to all groups the token has access to, in order to view the token.
    * Example 1: Token with access to groups **A** and **B**, **can be viewed** by a DevOps user that is assigned to groups **A**, **B**, **C**.
    * Example 2: Token with access to groups **A** and **D**, **cannot be viewed** by a DevOps user that is assigned to groups **A**, **B**, **C**.
  * DevOps users with permission for manage Users and Permissions can view all tokens, even if they are not assigned to groups.
* DevOps users can copy, download, and refresh tokens based on their group authorization.
* DevOps users with permission for manage Users and Permissions **will not be able** to copy / download / refresh, if not assigned to all the groups a token has access to.
* DevOps users that are able to view a specific token with Global Access can also copy / download / refresh the token.
* DevOps users can disable/enable tokens.
* Deletion is only possible after disabling.
* DevOps users can add groups to existing tokens if additional groups are available. There is no option to remove a group that was already added.

{% hint style="warning" %}
Creating a token does not provide access to this token forever. The creator of a token can view a token as long as his/her assigned groups are aligned with the groups the token has access to.
{% endhint %}

<details>

<summary>Token List &#x26; Token Creation</summary>

* Open the SeaLights Settings page from the Settings button on the top right.\
  ![](/files/ruInsxABLXKElq2vjIGO)&#x20;
* Go to **Agent Token** entry on the side menu, under **Cockpit & Onboarding**.
* Press the **Create New Token** button, provide a name to your token and save, and select access level, if required.&#x20;
* Press the **Copy Token** button and use it according to the specific SeaLights integration requirements.
* Alternatively, press the **Download Token** button and use the *sltoken.txt* file downloaded according to your integration requirements.

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sealights.io/knowledgebase/settings/token-access-and-management.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.