Think of API tokens as a form of authentication similar to a username and password. Tokens are scoped within your organization for additional security. You can use an API token to interact with the Tanzu Service Mesh REST API by exchanging it for an access token.

An API token is valid for a time-to-live (TTL) period that you specify when you generate the token. The default period is 6 months. After the specified time, to continue using the Tanzu Service Mesh REST API, you must regenerate the token.

After generating an API token, save the token credentials to a safe place. You can then use the API token to obtain access tokens. You can use an access token only for a single operation and within a short period of time. After the access token expires, you can use the API token to obtain a new access token.

Your API token is scoped within your organization for additional security. Scopes provide a way to control what areas in an organization your token can access, specifically which role in the organization, what services, and the level of permissions.

If you feel that the API token has been compromised, you can revoke the token to prevent any unauthorized access. When you revoke an API token, you lose the ability to perform API calls. However, access tokens obtained from the revoked API token are still valid until their expiration time (30 minutes). You generate a new API token to renew the authorization.

You can regenerate a token at any time. If you regenerate a token, you revoke all instances of the previous token. If you have used the revoked API token, for example, in one of your scripts, you must replace it with the newly generated API token.

For security reasons, after you generate the token, the API Tokens page only displays the name of the token, and not the token credentials. This means that you can no longer reuse the token by copying the credentials from this page.