Access Token Management via the GraphQL API

Manage access tokens used for schema publishing, schema checks, app deployment publishes and other actions available via the GraphQL API. For more information, please refer to our access token documentation.

Retrieve a List of Access Tokens

Use the Organization.accessTokens field for retrieving a paginated list of available access.

query OrganizationAccessTokens($organizationSlug: String!, $after: String) {
  organization(reference: { bySelector: { organizationSlug: $organizationSlug } }) {
    accessTokens(first: 10, after: $after) {
      edges {
        node {
          id
          title
          description
          createdAt
        }
      }
      pageInfo {
        endCursor
        hasNextPage
      }
    }
  }
}
Loading tree-sitter...

Retrieve a Single Access Token

Instead of fetching a paginated list, it is also possible to retrieve a single access token by its id via the Organization.accessToken field.

query OrganizationAccessTokenById($organizationSlug: String!, $accessTokenId: ID!) {
  organization(reference: { bySelector: { organizationSlug: $organizationSlug } }) {
    accessToken(id: $accessTokenId) {
      id
      title
      description
      createdAt
    }
  }
}
Loading tree-sitter...

Retrieve a List of Permissions Assignable to Access Tokens

A list of permissions that are assignable to access tokens can be retrieved via the Organization.availableOrganizationAccessTokenPermissionGroups field. It returns a list of all permission groups and their permissions.

query OrganizationPermissions($organizationSlug: String!) {
  organization(reference: { bySelector: { organizationSlug: $organizationSlug } }) {
    id
    slug
    availableOrganizationAccessTokenPermissionGroups {
      id
      permissions {
        id
        title
        description
      }
    }
  }
}
Loading tree-sitter...

Create an Access Token

An access token can be created by using the Mutation.createOrganizationAccessToken field.

The CreateOrganizationAccessTokenResultOk.privateAccessKey field in the mutation results contains the access key that can be used with the Hive CLI or the Hive GraphQL API as an authorization header.

mutation CreateAccessTokenMutation($input: CreateOrganizationAccessTokenInput!) {
  createOrganizationAccessToken(input: $input) {
    ok {
      privateAccessKey
    }
    error {
      message
      details {
        title
        description
      }
    }
  }
}
Loading tree-sitter...

Resource Assignment

Use the CreateOrganizationAccessTokenInput.resources field to specify on which resources the permissions should apply. Permissions are inherited by all subresources (organization, project, target, service, app deployment).

{
mode: 'ALL',
projects: []
}
{
mode: 'GRANULAR',
projects: [
{
projectId: '<PROJECT_ID>',
targets: {
// Grant permissions on all targets within project
mode: 'ALL'
}
}
]
}
{
mode: 'GRANULAR',
projects: [
{
projectId: '<PROJECT_ID>',
targets: {
// Grant permissions on a single targets within project
mode: 'GRANULAR',
targets: [
{
targetId: '<TARGET_ID>',
// Grant permissions on a all services within target
services: { mode: 'ALL' },
// Grant permissions on a all app deployments within target
appDeployments: { mode: 'ALL' }
}
]
}
}
]
}

Delete an Access Token

A access token can be deleted by using the Mutation.deleteOrganizationAccessToken field.

mutation CreateAccessTokenMutation($input: CreateOrganizationAccessTokenInput!) {
  deleteOrganizationAccessToken(input: $input) {
    ok {
      deletedOrganizationAccessTokenId
    }
    error {
      message
    }
  }
}
Loading tree-sitter...