As the sole owner of your API tokens, it is your responsibility to securely store, backup and manage them.

To view and manage your API tokens, click your user name, then select My Account > API Tokens.
  • To regenerate a token, click Regenerate. This replaces the existing token with a new one. In order to continue calling the APIs, you must update your token in the API calls.
  • To deactivate a token, click Revoke. This revokes both the API token and the associated access token.
  • To prevent unauthorized access to your Organization's resources, it is strongly recommended that you keep the API tokens you generate in a secure and protected location. VMware Cloud Services does not check for proof of possession, but captures token usage audit events when:
    • a user generates an API token
    • a user revokes one or all personal tokens
    • a user makes an unsuccessful attempt to generate access token by API token refresh
    Note: To view the audit event logs in VMware Cloud Services, you must have an Organization Owner role.
  • To add an extra layer of security to your APIs, you can add Multi-Factor Authentication for your API tokens. For more information, see .
  • If your API token has been deactivated by an Organization Owner for violating any policy set in the Organization, or for not adhering to the Organization's standards, you will receive an email notification from VMware Cloud Services. On your My Account > API Tokens page, deactivated tokens are marked with the label The label Deactivated appears next to the API Token name..
The following table summarizes the most common API token self-service management tasks:
If you want to... Do this...
Extend the validity of an API token that has expired. You must regenerate your token.
Regenerate a valid API token. You can regenerate a token at any time. If you regenerate a token, you revoke all instances of the previous token. If you have used the token, for example in one of your scripts, remember to replace it with the newly generated token.
Replace a compromised API token. If you feel the token has been compromised, you can revoke the token to prevent unauthorized access. You generate a new token to renew authorization.
Destroy an API token that is still valid. You destroy a valid API token by revoking it.
Recover a lost API token. Lost tokens cannot be recovered. You must revoke the lost token and generate a new one.
Reactivate an API token deactivated by an Organization Owner If a deactivated token is still valid, you must contact the Organization Owner and ask for its reactivation.