Overview

A personal access token (PAT) contains your security credentials for the Asana platform. Much like an API key, generating a PAT allows you to access (i.e., make requests to) the Asana REST API upon successful authentication.

A user can create many, but not unlimited, personal access tokens. When creating a token, you must give it a description to help you remember what you created the token for.

📘

PAT or OAuth?

If you build an app, and the app needs to perform actions on behalf of users (e.g., getting data from Asana or making changes within Asana), you should use OAuth.

Generating a PAT

You can generate a personal access token from the Asana developer console.

📘

API explorer

Your PAT also gives you access to the API explorer, where you can make API requests (and view responses) directly in your browser window. For more information, see API explorer.

Example

Personal access tokens should be used similarly to OAuth access tokens when accessing the API (i.e., passing them in the Authorization header).

Below is an example of a cURL request authenticating with a PAT:

curl https://app.asana.com/api/1.0/users/me \
  -H "Authorization: Bearer ACCESS_TOKEN"

In the above snippet, replace ACCESS_TOKEN with your PAT.

⚠️

Note on token format

Asana API tokens should be treated as opaque. Token formats may change without notice. Validating a token’s format on the client side could result in unexpected breakages. This applies to any Asana API tokens, including: personal access tokens, service account tokens, and both OAuth refresh tokens and access tokens.

PAT security

For security, you should regularly review the list of personal access tokens you have created and deauthorize those that you no longer need.

Remember to keep your tokens secret and treat them just like passwords. Your tokens act on your behalf when interacting with the API. As such, do not hardcode them into your programs. Instead, opt to use them as environment variables.