> ## Documentation Index
> Fetch the complete documentation index at: https://actianvectorai-ml-crtx-1153-academy-tutorial-rewrites.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Create access token

> Creates a new access token with the specified name, description, expiration, and permissions.

All access-token management endpoints are available only when the server-side `auth_enabled` setting is `true`. If `auth_enabled` is `false`, the server rejects these requests with `403 Forbidden`.

## Permission model

Access token permissions use a bitmask model.

| Name | Value | Meaning |
| --- | --- | --- |
| `read` | 1 | Read access |
| `write` | 2 | Write access |
| `admin` | 4 | Admin access |

`admin` is an independent permission bit. It does not automatically grant `read` or `write`.

Common combinations:

| Bitmask | Permission string | Meaning |
| --- | --- | --- |
| 1 | `read` | Read only |
| 2 | `write` | Write only |
| 4 | `admin` | Admin only |
| 5 | `read,admin` | Read and admin |
| 6 | `write,admin` | Write and admin |
| 7 | `read,write,admin` | Read, write, and admin |

The create-token API accepts the canonical comma-separated permission names, and the server stores them as the corresponding bitmask.

When using an admin JWT, the server uses the persisted JWT secret from `server_params.btr`. If `ACTIAN_VECTORAI_JWT_SECRET` is set at startup, that value overrides the persisted secret and is saved for subsequent restarts.




## OpenAPI

````yaml post /auth/access_token
openapi: 3.0.3
info:
  title: Actian VectorAI DB - Authentication API
  description: Access token and admin user management for VectorAI DB.
  version: 1.0.0
  contact:
    name: Actian Corporation
    url: https://www.actian.com
servers:
  - url: http://localhost:6573
    description: Local development server (REST API)
  - url: https://api.vectorai.actian.com
    description: Production server
security:
  - bearerAuth: []
tags:
  - name: Access Tokens
    description: Create, list, rotate, and delete access tokens.
  - name: Admin User
    description: Create and manage the admin user, login, and authentication settings.
paths:
  /auth/access_token:
    post:
      tags:
        - Access Tokens
      summary: Create access token
      description: >
        Creates a new access token with the specified name, description,
        expiration, and permissions.


        All access-token management endpoints are available only when the
        server-side `auth_enabled` setting is `true`. If `auth_enabled` is
        `false`, the server rejects these requests with `403 Forbidden`.


        ## Permission model


        Access token permissions use a bitmask model.


        | Name | Value | Meaning |

        | --- | --- | --- |

        | `read` | 1 | Read access |

        | `write` | 2 | Write access |

        | `admin` | 4 | Admin access |


        `admin` is an independent permission bit. It does not automatically
        grant `read` or `write`.


        Common combinations:


        | Bitmask | Permission string | Meaning |

        | --- | --- | --- |

        | 1 | `read` | Read only |

        | 2 | `write` | Write only |

        | 4 | `admin` | Admin only |

        | 5 | `read,admin` | Read and admin |

        | 6 | `write,admin` | Write and admin |

        | 7 | `read,write,admin` | Read, write, and admin |


        The create-token API accepts the canonical comma-separated permission
        names, and the server stores them as the corresponding bitmask.


        When using an admin JWT, the server uses the persisted JWT secret from
        `server_params.btr`. If `ACTIAN_VECTORAI_JWT_SECRET` is set at startup,
        that value overrides the persisted secret and is saved for subsequent
        restarts.
      operationId: create_access_token
      parameters:
        - name: Authorization
          in: header
          required: true
          schema:
            type: string
          description: >-
            Admin JWT or admin access token. Format `Bearer
            <admin-jwt-or-access-token>`.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - name
                - permission
              properties:
                name:
                  type: string
                  description: Human-readable name for the token.
                description:
                  type: string
                  description: Optional description of the token's intended use.
                will_expire:
                  type: boolean
                  description: >-
                    Whether the token expires. When `false`, the token is valid
                    indefinitely.
                  default: false
                expires_in_seconds:
                  type: integer
                  description: >-
                    Number of seconds until the token expires. Only applies when
                    `will_expire` is `true`.
                permission:
                  type: string
                  description: >-
                    Comma-separated permission names. Valid values are `read`,
                    `write`, `admin`, or any combination.
                  example: read,admin
      responses:
        '200':
          description: Token created successfully.
          content:
            application/json:
              schema:
                type: object
                properties:
                  id:
                    type: integer
                    description: Unique identifier for the access token.
                  name:
                    type: string
                    description: Human-readable name for the token.
                  description:
                    type: string
                    description: Description of the token's intended use.
                  token:
                    type: string
                    description: >-
                      The raw access token value. Store this securely, as it
                      cannot be retrieved after creation.
                  created_at:
                    type: string
                    format: date-time
                    description: >-
                      Timestamp when the token was created, in RFC 3339 UTC
                      format.
                  expired_at:
                    type: string
                    format: date-time
                    nullable: true
                    description: >-
                      Timestamp when the token expires, in RFC 3339 UTC format.
                      `null` when `will_expire` is `false`.
                  will_expire:
                    type: boolean
                    description: Whether the token has an expiration date.
                  permission:
                    type: string
                    description: Comma-separated permission names assigned to the token.
              examples:
                success:
                  value:
                    id: 12
                    name: reader-admin-token
                    description: >-
                      Used by the analytics dashboard to run read-only admin
                      checks.
                    token: vdai_<newly-generated-token>
                    created_at: '2026-04-02T08:30:00Z'
                    expired_at: '2026-04-03T08:30:00Z'
                    will_expire: true
                    permission: read,admin
        '403':
          description: Authentication is not enabled on the server.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                auth_disabled:
                  value:
                    status: error
                    message: Access token API requires auth_enabled=true
      x-codeSamples:
        - lang: cURL
          label: Create access token
          source: |
            curl -X POST http://localhost:6575/auth/access_token \
              -H "Content-Type: application/json" \
              -H 'Authorization: Bearer <admin-jwt-or-access-token>' \
              -d '{
                "name": "reader-admin-token",
                "description": "Used by the analytics dashboard to run read-only admin checks.",
                "will_expire": true,
                "expires_in_seconds": 86400,
                "permission": "read,admin"
              }'
components:
  schemas:
    ErrorResponse:
      type: object
      properties:
        status:
          type: string
          description: Error status indicator.
        message:
          type: string
          description: Human-readable error description.
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT
      description: Admin JWT obtained from the login endpoint.

````