Skip to content

API Authentication

The TestGen REST API authenticates with a bearer token. Include the token in the Authorization header of every request; the API acts with the permissions of the user the token belongs to.

Note

API requests use the permissions of the authenticated user. The actions available through the API are governed by the user's role on each project. See User Access for role details.

Choose a token

You can authenticate with either kind of access token:

  • Enterprise A personal access token is the quickest to set up — create one in the UI and use it directly.
  • An OAuth 2.1 client exchanges a refresh token for short-lived access tokens on each run.

For automation, prefer an OAuth 2.1 client with short-lived access tokens. An OAuth access token expires an hour after it is issued, so an exposed token grants only a brief window of access. A personal access token, by contrast, stays valid for its full lifetime — often months — if it leaks. Use a personal access token when your client accepts only a static token, or when a short setup matters more than limiting the exposure window.

Make API requests

Include the token in the Authorization header of each request. For example, to list recent jobs in a project:

curl -H "Authorization: Bearer <access_token>" \
  "https://<your-testgen-host>/api/v1/projects/<project_code>/jobs"
  • Access Tokens — obtain a personal access token or set up an OAuth client
  • User Access — role and permission details