Donotname Help Center
Back to App

Personal Access Tokens

Personal access tokens let you authenticate with the Donotname API and MCP server without using your password. They are tied to your user account and have the same permissions you do.

Creating a Token

Personal Access Token page

  1. Go to Settings (click your avatar in the bottom-left)
  2. Select Personal Access Token from the sidebar
  3. Click Create Token
  4. Enter a name for the token (e.g., "MCP Server", "CI/CD Pipeline")
  5. Choose the scopes (permissions) the token should have
  6. Optionally restrict access to specific spaces or bases
  7. Set an expiration date
  8. Click Create
  9. Copy the token immediately — it is shown only once

Token Scopes

Scopes control what the token can access:

ScopeDescription
Full AccessComplete access to everything you can access
ReadRead records, fields, views, and table schemas
WriteCreate, update, and delete records
AdminManage spaces, bases, and members

Using Your Token

REST API

Include the token in the Authorization header:

curl "https://app.donotname.com/api/table/{tableId}/record" \
  -H "Authorization: Bearer YOUR_TOKEN"

MCP Server

Set the token as an environment variable:

DONOTNAME_API_TOKEN=your-token npx @donotname/mcp-server

See the MCP Server guide for full setup instructions.

Managing Tokens

Viewing Tokens

All your tokens are listed on the Personal Access Token page. Each shows:

  • Token name
  • Creation date
  • Last used date
  • Expiration date

Refreshing a Token

If a token is compromised or you want to rotate it:

  1. Click the Refresh button next to the token
  2. A new token value is generated
  3. The old token is immediately invalidated
  4. Copy the new token

Deleting a Token

Click Delete to permanently revoke a token. Any integration using that token will immediately stop working.

Security Best Practices

  1. Never share tokens — treat them like passwords
  2. Use descriptive names — so you know which integration each token is for
  3. Set expiration dates — prefer short-lived tokens over permanent ones
  4. Use minimum scopes — only grant the permissions the integration actually needs
  5. Restrict to specific bases — if the integration only needs one base, limit the token accordingly
  6. Rotate regularly — refresh tokens periodically, especially after team member departures
  7. Never commit to git — use environment variables or secret managers
  8. Revoke unused tokens — delete tokens for integrations you no longer use

Troubleshooting

  • 401 Unauthorized — the token may be expired or deleted. Create a new one.
  • 403 Forbidden — the token does not have the required scope for this action.
  • Token not shown again — if you lost the token value, delete it and create a new one.