Skip to content
English
More support Customer portal
Home
  • There are no suggestions because the search field is empty.

Managing API Tokens

Essal Office provides a REST API for integrating with other systems — for example, automated document uploads from business applications, connecting a scanner workflow, or building custom integrations. API access is authenticated using tokens tied to specific user accounts.

What Is an API Token?

An API token is a long random string that acts as a credential for programmatic access to Essal Office. Anything you can do in the web interface can potentially be done via the API using a token — under the same permissions as the user the token belongs to.

Keep tokens private. Anyone with a token has the same level of access as the user it was issued for.

Creating an API Token

  1. Go to your profile settings (click your username in the top-right)
  2. Select API Token or navigate to Profile > API Token
  3. If no token exists yet, click Generate token
  4. Copy the token immediately — it is shown in full only at creation time

Store the token in a secure location (e.g. a password manager or secrets vault). If you lose it, you must delete it and generate a new one.

Using an API Token

Include the token in the Authorization header of all API requests:

Authorization: Token

The API base URL is typically https://your-essal-office-domain/api/. Refer to the API documentation for available endpoints and request formats.

Rotating a Token

If a token is compromised or needs to be replaced:

  1. Go to your profile settings → API Token
  2. Delete the existing token
  3. Generate a new token
  4. Update all systems that used the old token with the new value

The old token stops working immediately upon deletion.

Token Security Best Practices

  • Never share tokens in emails, chats, or code repositories
  • Use one token per integration — if one integration's token is compromised, only that integration is affected
  • Rotate tokens periodically as a security hygiene measure
  • Review active tokens — if you see a token you did not create, delete it and contact your administrator

Admin Token Management

Administrators can view and manage API tokens for all users from the Administration panel. If a user account is compromised, admins can delete that user's token to revoke API access immediately without deleting the user account.