Getting a Personal Access Token
Personal Access Tokens (PATs) are how the DemandFlow REST API knows who you are. Every API call needs one in the Authorization header.
Creating a token
- Click your avatar in the top-right of DemandFlow to open your user profile.
- Switch to the PAT Tokens tab (the key icon).
- Enter a name that describes where the token will be used (for example "Nightly export script" or "Reporting job").
- Optionally choose a scope to limit what the token can do.
- Click Create.
The new token is displayed once. Copy it immediately, you will not be able to see it again. If you lose it, create a new one.
Using a token
Send the token in the Authorization header on every request:
Authorization: Bearer <your-pat>For example, with curl:
curl -H "Authorization: Bearer df_pat_abc123..." \
"https://rest.demandflow.com/v1/entities/PPL/SUB"How tokens behave
- A token inherits the permissions of the user it was created for, it cannot do anything that user cannot do.
- A token is bound to the user's subscription. You cannot use a token from one tenant to access another.
- Tokens do not expire automatically, but they can be revoked or deleted at any time from the same PAT Tokens panel.
Keeping tokens safe
- Treat them like passwords. Anyone who sees the token can act as you until it is revoked.
- Never commit them to source control. Load them from environment variables, a secrets manager, or a local
.envfile that is git-ignored. - Use a separate token per integration. If one token leaks, you can revoke just that one without breaking everything else.
- Revoke old tokens. When an integration is retired, delete its token from the PAT Tokens panel.
Revoking or deleting a token
On the PAT Tokens panel, each token row has a Revoke and Delete action. Revoke keeps the record (so you can see it in the audit log) but stops it working. Delete removes it entirely.