Authentication - OpenIndex

OpenIndex uses Personal Access Tokens (PATs) as bearer tokens for all API and CLI authentication. There are no session cookies or OAuth flows for programmatic access — every request carries a PAT.

Token scopes

PATs are issued with one of two scopes:

Scope	Access
`read_write`	Work item and queue operations — required for all standard `oi` CLI commands.
`admin`	Superset scope that includes all `read_write` access plus instance admin endpoints.

Use read_write for agents and automation. Reserve admin tokens for administrative tooling.

Create a PAT

Create tokens in the OpenIndex web UI:

Sign in to the web UI.
Navigate to Settings → Personal → Tokens.
Click Create token, enter a name, and choose a scope.
Optionally set an expiry date. If you leave the expiry blank, the token does not expire.
Copy the token value — it begins with oi_pat_ and is shown only once.

The token value is displayed only at creation time. Store it in a secrets manager or environment variable before leaving the page.

You can also create tokens via the API:

POST /me/pats

{
  "name": "local cli",
  "scope": "read_write"
}

Use a PAT with the CLI

Configure your oi profile with your token:

oi profile set --token "oi_pat_..."

Alternatively, set the OPENINDEX_TOKEN environment variable to override the profile value without modifying your config file:

export OPENINDEX_TOKEN="oi_pat_..."

The environment variable takes precedence over the profile token when both are set.

Use a PAT with the HTTP API

Pass the token as a bearer token in the Authorization header:

Authorization: Bearer oi_pat_...

curl -X GET "https://app.openindex.dev/me" \
  -H "Authorization: Bearer oi_pat_..."

PAT lifetime

PATs are non-expiring by default. When you create a token, you can optionally set an expiry date. After the expiry date, the token is rejected with a 401 Unauthorized response. To rotate a token, create a new one and delete the old one.

Manage PATs via API

List tokens
Create a token
Delete a token

GET /me/pats

Returns all PATs for the authenticated user, including token names, scopes, and expiry dates. Token values are not included in list responses.

POST /me/pats

Request body:

{
  "name": "agent-production",
  "scope": "read_write"
}

The response includes the token value. This is the only time the value is returned.

DELETE /me/pats/:id

Deleting a token immediately invalidates it. Any in-flight requests using the token will begin receiving 401 Unauthorized responses.

You can also manage tokens from the CLI:

oi settings personal tokens list
oi settings personal tokens create --name "local cli" --scope read_write

Error handling

Status	Meaning	Resolution
`401 Unauthorized`	Token is missing, invalid, or revoked.	Check the token value with `oi auth check` or `oi profile show`.
`403 Forbidden`	Token scope is insufficient for the requested operation.	Use a token with a higher scope — for example, `admin` for instance admin endpoints.

Run oi auth check to inspect your token’s validity and effective scope:

oi auth check

Security notes

Workflow agent run tokens are intentionally rejected for settings commands. Use a human-owned PAT — not a workflow agent run token — when running oi settings ... commands or any admin endpoint.

Store PATs in environment variables or a secrets manager rather than committing them to source code or config files. Use separate tokens for separate environments so you can revoke them independently.

Documentation Index

​Token scopes

​Create a PAT

​Use a PAT with the CLI

​Use a PAT with the HTTP API

​PAT lifetime

​Manage PATs via API

​Error handling

​Security notes

Token scopes

Create a PAT

Use a PAT with the CLI

Use a PAT with the HTTP API

PAT lifetime

Manage PATs via API

Error handling

Security notes