API Keys
Generate and manage Personal Access Tokens (PATs) for API access and CI/CD integration.
Overview
Personal Access Tokens (PATs) provide secure, authenticated access to the TestKase API and CI/CD integrations. Each token is tied to your user account, inherits your permissions, and acts as a password substitute for programmatic access. PATs are essential for:
- API requests — Authenticate calls to the TestKase REST API for automation, scripting, and custom integrations.
- CI/CD pipelines — Authenticate the
@testkase/reporterCLI to push test results from your CI pipelines. - Third-party tools — Connect external tools and services that need programmatic access to your TestKase data.
Secure tokens
Hashed and stored encrypted, never exposed after creation
Configurable expiry
7 days to 1 year, choose what fits your use case
User-scoped
Inherits your account role and project permissions
API & CI/CD ready
Works with REST API, reporter CLI, and webhooks
Shown once
Token is only displayed at creation time for security
Instant revocation
Delete a token to immediately invalidate it everywhere
Create an API Key
Follow these steps to generate a new Personal Access Token:
- Navigate to Settings → API Keys in your organization settings.
- Click Generate New Token.
- Enter a descriptive name for the token. Use a name that identifies its purpose, such as:
GitHub Actions — Production PipelineGitLab CI — Staging TestsAPI Script — Nightly ReportLocal Development
- Select an expiration period from the dropdown (see Expiration Periods below).
- Click Generate.
- A dialog displays your new token. Copy it immediately using the copy button.
The full token is only shown once at creation time. For security reasons, TestKase stores a hashed version and cannot display it again. If you lose the token, you must delete it and create a new one.
What a Token Looks Like
TestKase PATs are long, random strings. You will see only a partial preview (first and last few characters) in the API Keys management page after creation:
tk_pat_a1b2c3d4...x9y8z7 (full token shown only at creation)Expiration Periods
Every token must have an expiration period. Choose the shortest duration that meets your needs to follow the principle of least privilege:
| Period | Recommended Use Case | When to Choose |
|---|---|---|
| 7 days | Quick testing, one-time scripts, demos | You need temporary access for a short task |
| 30 days | Sprint-length projects, trial integrations | Testing a new CI/CD integration before committing long-term |
| 60 days | Medium-term projects, seasonal testing | Project has a defined timeline of a few months |
| 90 days | Standard CI/CD pipelines, quarterly rotation | Most common choice for production CI/CD pipelines |
| 180 days | Stable integrations, semi-annual rotation | Well-established pipelines with scheduled rotation |
| 365 days | Long-term stable integrations | Only for integrations where frequent rotation is impractical; rotate annually |
For production CI/CD pipelines, 90 days strikes a good balance between security and convenience. Set a calendar reminder to rotate the token before it expires.
Manage Keys
The API Keys settings page shows all your active tokens in a table view. For each token, you can see:
| Column | Description |
|---|---|
| Name | The descriptive name you gave the token at creation |
| Token Preview | First and last characters of the token (e.g., tk_pat_a1b2...z7) |
| Created | Date the token was generated |
| Expires | Expiration date; tokens past this date are automatically invalidated |
| Actions | Delete button to revoke the token immediately |
Deleting a Token
To revoke a token, click the Delete button next to it and confirm the action. Deletion is immediate and irreversible:
- Any API calls using this token will immediately receive a 401 Unauthorized error.
- Any CI/CD pipelines using this token will fail on their next run.
- The token cannot be recovered — you must create a new one.
Before deleting a token that is in use, make sure to generate a replacement token and update all systems using the old token first. This prevents pipeline failures.
Using Your PAT
PATs authenticate requests by being included in the Authorization HTTP header
using the Bearer scheme:
Authorization: Bearer YOUR_PAT_TOKENREST API
Include the header in any API request:
curl -H "Authorization: Bearer YOUR_PAT_TOKEN" \
-H "Content-Type: application/json" \
https://api.testkase.com/api/v1/projects/user-projectsCI/CD Reporter CLI
Pass the token to the @testkase/reporter CLI using the --token flag.
See the Automation guide for full pipeline setup.
npx @testkase/reporter report \
--token YOUR_PAT_TOKEN \
--project-id PRJ-1 \
--org-id 1173 \
--cycle-id TCYCLE-5 \
--format junit \
--results-file test-results/junit.xml--cycle-id is optional. If not provided, results are reported to TCYCLE-1 — the master test cycle for the project.
Never hardcode tokens in source code, pipeline files, or configuration files checked into version control. Always use secret/environment variables provided by your CI/CD platform.
API Usage Examples
Here are common API calls you can make with your PAT:
List Your Projects
curl -H "Authorization: Bearer YOUR_PAT_TOKEN" \
https://api.testkase.com/api/v1/projects/user-projectsGet Test Cases in a Project
curl -H "Authorization: Bearer YOUR_PAT_TOKEN" \
https://api.testkase.com/api/v1/test-cases?projectId=PRJ-1Get Test Cycles
curl -H "Authorization: Bearer YOUR_PAT_TOKEN" \
https://api.testkase.com/api/v1/test-cycles?projectId=PRJ-1Use --verbose or -v with curl to see the full request and response headers.
This is helpful for debugging authentication issues.
CI/CD Usage
The primary use of PATs in CI/CD is authenticating the @testkase/reporter CLI.
Here is how to securely configure the token in each platform:
GitHub Actions
Store the token as a repository secret named TESTKASE_PAT:
# Settings > Secrets and variables > Actions > New repository secret
# Name: TESTKASE_PAT
# Value: (paste your token)
# Reference in workflow:
--token ${{ secrets.TESTKASE_PAT }}GitLab CI
Add as a masked CI/CD variable:
# Settings > CI/CD > Variables > Add variable
# Key: TESTKASE_PAT
# Value: (paste your token)
# Options: Mask variable ✓, Protect variable (optional)
# Reference in .gitlab-ci.yml:
--token $TESTKASE_PATJenkins
Add as a "Secret text" credential:
# Manage Jenkins > Manage Credentials > Add Credentials
# Kind: Secret text
# ID: testkase-pat
# Secret: (paste your token)
# Reference in Jenkinsfile:
environment { TESTKASE_PAT = credentials('testkase-pat') }Azure DevOps
Add as a secret pipeline variable:
# Pipeline > Edit > Variables > New variable
# Name: TESTKASE_PAT
# Value: (paste your token)
# Keep this value secret: ✓
# Reference in azure-pipelines.yml:
--token $(TESTKASE_PAT)CircleCI
Add as a project environment variable:
# Project Settings > Environment Variables > Add Variable
# Name: TESTKASE_PAT
# Value: (paste your token)
# Reference in .circleci/config.yml:
--token $TESTKASE_PATFor complete pipeline templates with the reporter CLI, see the Automation guide.
Token Scoping & Permissions
PATs inherit the full permissions of the user account that created them. This means:
- If your account is a Project Admin, the token can perform all admin-level actions via the API.
- If your account is a User (regular member), the token is limited to the same actions you can perform in the UI.
- If your account is a Guest, the token has read-only access.
There is no way to create a token with fewer permissions than your account has. If you need a restricted token, create a dedicated TestKase user account with the minimum role needed and generate the token from that account.
Multi-Project Access
A single PAT provides access to all projects that the token owner has access to. There is no per-project token scoping. If your account has access to 5 projects, the token can access all 5.
Token Rotation
Token rotation is the practice of periodically replacing tokens with new ones. This limits the impact of a token being compromised. Here is the recommended rotation process:
- Generate a new token with the same name (appended with a version, e.g., "GitHub Actions v2").
- Update the secret in your CI/CD platform or application with the new token.
- Verify that the new token works by triggering a pipeline run or API call.
- Delete the old token from the API Keys page once confirmed.
Schedule token rotation 1-2 weeks before expiration to give yourself time to update all systems without any downtime.
Recommended Rotation Schedule
| Token Expiration | Rotation Cadence |
|---|---|
| 90 days | Every 80 days (10 days before expiration) |
| 180 days | Every 165 days (15 days before expiration) |
| 365 days | Every 350 days (15 days before expiration) |
Security Best Practices
- Never commit tokens to source code. Use CI/CD secrets, environment variables, or secret management tools (Vault, AWS Secrets Manager, etc.) to store tokens.
- Use descriptive names. Name tokens after their purpose and environment (e.g., "GitHub Actions — Production", "Local Dev — John") so you can identify and manage them easily.
- One token per integration. Create a separate token for each CI/CD pipeline, application, or environment. This way, revoking one token does not break other integrations.
- Use the shortest expiration that works. A 90-day token for CI/CD pipelines is a good default. Use 7-day tokens for temporary scripts or demos.
- Delete tokens you no longer use. Regularly audit your token list and remove tokens for decommissioned pipelines, old environments, or departed team members.
- Rotate before expiration. Set calendar reminders to rotate tokens 1-2 weeks before they expire. This avoids pipeline failures from expired tokens.
- Monitor for unauthorized use. If you suspect a token has been compromised, delete it immediately and generate a replacement. Check recent API activity for unexpected requests.
- Use dedicated service accounts for shared tokens. If multiple team members need API access, create a dedicated TestKase account (e.g., "ci-bot@yourcompany.com") with the minimum required role and generate tokens from that account.
FAQ
▶How many tokens can I create?
There is no strict limit on the number of tokens per account. However, best practice is to create one token per integration and delete unused tokens to keep your token list manageable.
▶What happens when a token expires?
Expired tokens are automatically invalidated. Any API calls or CI/CD pipelines using the expired token will receive a 401 Unauthorized error. Generate a new token, update your integration secrets, and the pipeline will work again.
▶Can I see the full token after creation?
No. For security reasons, the full token is only shown once at creation time. TestKase stores a hashed version. If you lose a token, delete it and generate a new one.
▶Can I extend a token's expiration?
No. Token expiration cannot be modified after creation. To get a longer-lived token, generate a new one with the desired expiration period and delete the old one.
▶Does deleting my account revoke all my tokens?
Yes. All tokens are tied to your user account. If your account is deleted or deactivated, all associated tokens are automatically invalidated.
▶Can a token access projects I'm not a member of?
No. Tokens inherit your exact permissions. If you do not have access to a project in the TestKase UI, the token cannot access it via the API either.
▶Is there a rate limit on API calls?
Yes. API rate limits apply per token. If you hit rate limits, you will receive a 429 Too Many Requests response. Spread requests over time or contact support for higher limits.
▶Can I use a PAT for the Jira integration?
The TestKase PAT is for the TestKase API. The Jira integration requires a separate token from your Jira/GitHub/GitLab account. These are two different tokens for two different purposes.