# Create Organization Token Create an adhoc organization token restricted to specified resources and permission set. Tokens can only be reduced in scope, never expanded. Permissions are inherited from the token used to call this API. Permissions assigned to the new token will not be persisted, this is not a way to create roles. Operation ID: tokens_create_token Endpoint: POST /v1/tokens Security: BearerAuth ## Request fields (application/json): - `resources` (object, required) - `resources.organizations` (object) - `resources.organizations.ids` (array, required) List of organization ids that this role definition grants access to. Use "\*" to grant access to all organization ids. - `resources.organizations.labels` (array,null) List of organization labels this role definition grants access to. - `resources.accounts` (object) - `resources.accounts.ids` (array, required) List of account ids that this role definition grants access to. Use "\*" to grant access to all account ids. - `resources.accounts.labels` (array,null) List of account labels this role definition grants access to. If both labels and environments are specified both must pass - `resources.accounts.environments` (array,null) Account environments this role definition grants access to. If both labels and environments are specified both must pass Enum: "test", "prod" - `resources.integrations` (object) - `resources.integrations.categories` (array, required) List of categories ids that this role definition grants access to. Use "\*" to grant access to all category ids. Enum: "appsec", "assets", "chat", "cloudsecurity", "custom", "edr", "emailsecurity", "endpointmanagement", "identity", "incidentresponse", "notifications", "siem", "sink", "storage", "ticketing", "vulnerabilities" - `permission_set` (string, required) Enum: "administrator", "viewer", "member", "account-manager", "connect-ui", "token-issuer", "mcp-integrations-use-only", "mcp-management" - `name` (string,null) Unique short name for this token (lowercase [a-z0-9_-], can be used in URLs). Also used for case insensitive duplicate name detection and default sort order. Defaults to TokenId if both name and fullname are not specified. - `fullname` (string,null) Human friendly display name for this Token, will auto-generate 'name' field (if 'name' is not specified). Defaults to the same value as the 'name' field if not specified. - `token_ttl` (string,null) Token time-to-live. If not provided, defaults to 24 hours. Use the format "1h", "1m", "1s" for hours, minutes, and seconds respectively, e.g., "24h" for 24 hours. ## Response 200 fields (application/json): - `result` (object, required) - `result.id` (string, required) - `result.fullname` (string, required) Human friendly display name for this account. - `result.owner_id` (string, required) - `result.owner_type` (string, required) Enum: "organization", "integration" - `result.expires` (string, required) Time when this token expires and can no longer be used again. - `result.token_ttl` (string, required) Token time-to-live - `result.token_type` (string, required) Enum: "adhoc", "logon", "default" - `result.primary` (object, required) - `result.primary.access` (object, required) - `result.primary.access.secret` (string, required) Secret value for the token; used for authentication when making requests. - `result.primary.access.expires` (string, required) Time when this token expires and can no longer be used again. - `result.primary.access.permissions` (object, required) - `result.primary.access.permissions.resource_id` (string, required) - `result.primary.access.permissions.resource_type` (string, required) Type of the resource that this permission grants access to. Must be one of the following: "organization, "integration" - `result.primary.access.permissions.parent_id` (string, required) - `result.primary.access.permissions.id` (string, required) - `result.primary.access.permissions.organization_id` (string, required) - `result.primary.access.permissions.member_id` (string, required) - `result.primary.access.permissions.role_binding` (array,null) Roles granted to this token. - `result.primary.access.permissions.adhoc_role` (object) - `result.primary.access.permissions.adhoc_role.resources` (object, required) - `result.primary.access.permissions.adhoc_role.permission_set` (string, required) Enum: "administrator", "viewer", "member", "account-manager", "connect-ui", "token-issuer", "mcp-integrations-use-only", "mcp-management" - `result.primary.access.permissions.root_organization_id` (string) - `result.primary.access.claims` (object,null) Additional claims added to the token. - `result.primary.refresh` (object, required) - `result.name` (string, required) Human-readable name for this resource - `result.created_at` (string, required) Time object was originally created - `result.updated_at` (string, required) Last time object was updated - `result.member_id` (string) - `result.secondary` (object) ## Response 400 fields (application/json): - `occurred_at` (string, required) The date and time the problem occurred. - `status` (integer, required) The HTTP status code of the problem. Matches the HTTP response code sent by the server. - `instance` (string, required) A URI reference that identifies the specific occurrence of the problem. It may or may not yield further information if dereferenced. - `message` (string, required) A short, display-friendly summary of the problem. - `type` (string) A URI reference that identifies the type of problem that occurred. When the URI scheme is HTTP(s), it may or may not be possible to deference the URL to a display-friendly description of the problem type. - `cause` (array,null) A list of the root cause(s) for this problem occurrence. Includes at minimum one root cause, and is otherwise an unordered list of causes. - `cause.type` (string, required) A URI reference that identifies the type of problem that occurred. When the URI scheme is HTTP(s), it may or may not be possible to deference the URL to a display-friendly description of the problem type. - `cause.message` (string, required) A short, display-friendly summary of the problem. - `cause.detail` (string,null) A display-friendly and more detailed explanation of the problem. It may offer additional contextual detail, but may also be just a generic description of the problem. - `cause.remediation` (string,null) A display-friendly explanation for how to remediate the problem. This field may be omitted in case there are multiple problems, each with its own remediation, or if no remediation is possible. - `cause.context` (object) - `cause.context.parameter` (object) - `cause.context.parameter.id` (string, required) If the location of the parameter is body, this value is always a JSON Pointer, otherwise it's the name of the parameter. - `cause.context.parameter.location` (string, required) Enum: "header", "path", "query", "body" - `cause.context.parameter.value` (any,null) The given value of the parameter. - `cause.context.resources` (array,null) - `cause.context.resources.type` (string, required) Enum: "account", "bridge", "credential", "integration_point", "integration", "member", "operation", "organization_webhook", "role", "sub_org", "token", "transform" - `cause.context.resources.id` (string, required) ID of the related resource. - `cause.context.resources.rel` (string, required) Enum: "affected", "cause" - `cause.context.raw_error` (string,null) If available this represents the underlying raw error, for example an error response from a Provider. - `cause.context.provider_details` (object,null) If available this represents the underlying details from the provider. May include the error message, status code, and other details. - `detail` (string,null) A display-friendly and more detailed explanation of the problem. It may offer additional contextual detail, but may also be just a generic description of the problem. - `remediation` (string,null) A display-friendly explanation for how to remediate the problem. This field may be omitted in case there are multiple problems, each with its own remediation, or if no remediation is possible. - `context` (object)