# Integration Access Tokens **Integration Access Tokens** authenticate the **Connector APIs**. Use these for operational work against Providers: - Fetch Jira tickets or create ServiceNow incidents - Query identity events from Okta - Read assets from AWS - Send notifications via Slack This token is intentionally narrow in scope — it can perform operations against a Provider but cannot modify organizational resources. Issue one per Integration, per tenant session. ## Scope and Authority Integration Access Tokens are scoped to a single Integration. They carry only the authority needed to perform operations against the Provider that Integration connects to, nothing more. | API | Token required | Used for | | --- | --- | --- | | Management APIs | Organization Access Token | Create and configure Synqly resources | | Connector APIs | Integration Access Token | Interact with external providers | ## Why Two Token Types? Separation of authority Without this separation, a runtime integration could gain administrative access, and provider-facing operations could modify organization-level resources. Synqly enforces least-privilege by design: management authority and operational execution are always isolated. Use Integration Access Tokens for all runtime provider interactions. For administrative operations, use Organization Access Tokens instead. ## Token Lifecycle Integration Access Tokens should be generated on demand and scoped tightly: - Issue one token per Integration, per tenant session - Rotate tokens regularly rather than reusing long-lived credentials - Never cache an Integration Access Token at the organizational level — it belongs to a specific Account's Integration Protect Integration Access Tokens An Integration Access Token grants access within the scope of a specific Integration. If exposed, it may allow access to data or actions associated with the credentials used to configure that Integration, potentially crossing tenant boundaries. Treat Integration Access Tokens as sensitive credentials. Store them securely, limit their exposure, and follow the principle of least privilege when configuring provider credentials. Grant only the permissions required for the integration to function, rather than using broad administrative access whenever possible. Security is a shared responsibility. Synqly helps protect the platform and provides guidance for securely configuring providers, while you are responsible for protecting Integration Access Tokens and ensuring that provider credentials are scoped appropriately for your use case. Refer to the [Provider Configuration guides](http://127.0.0.1:3500/guides/provider-configuration/amazon-inspector-appsec-setup) for provider-specific security recommendations.