API tokens & service accounts¶
For anything you'd do in the Console, there's an API. To call it, you need an API token (for a user) or a service account (for a non-human caller).
What's the difference?¶
| API token (user) | Service account | |
|---|---|---|
| Tied to | A user identity | A standalone identity, not a person |
| Lifecycle | Lives as long as the user is active | Independent — survives staff churn |
| Best for | Interactive CLI / Terraform from your own laptop | CI/CD pipelines, monitoring agents, integrations |
| Revoked when | User is suspended / removed, or token deleted | Token deleted; service account itself can be deleted |
| Audit attribution | All API calls show your email | All API calls show the service-account name |
| MFA? | Not enforced on the token itself | n/a — service accounts can't sign in interactively |
Rule of thumb: anything that runs without a human at the keyboard should use a service account, not a user's personal token. Otherwise the moment that user changes role or leaves, your pipeline breaks (and you may scramble to issue a new token with the same scope).
Issuing a personal API token¶
User menu → Account → API tokens → + New token.
Creating an API token. Scope and lifetime are mandatory; the secret is shown exactly once.
The form asks:
| Field | Notes |
|---|---|
| Name | What this token is for (e.g. "my-laptop-cli", "terraform-laptop") |
| Scope — Organization | Which org this token operates within |
| Scope — Project(s) | One or more projects, or All projects (only available if you're org Admin/Owner) |
| Permissions | Inherit from your role, or downscope to a subset (the token can never grant more than your role does) |
| Expiry | 30 days / 90 days / 365 days / custom date / never. Pick the shortest that's practical. |
| Allowed IPs | Optional comma-separated CIDR list. Calls from outside these ranges are rejected. |
Click Create. Cloud Digit shows the token value exactly once — copy it now. After this screen, only the prefix is shown (e.g. cd_a1b2c3...), never the full secret.
Storing the token¶
- CI/CD systems — store in the platform's encrypted secret store (GitHub Actions secrets, GitLab CI variables, etc.). Never commit to git.
- Local development — use the OS keychain (macOS Keychain, Windows Credential Manager) via the Cloud Digit CLI's
cd configurecommand, which stores it for you. - Plain files — last resort. If you must, put the file in
~/.config/cd/tokenwithchmod 600.
Rotating¶
Tokens can't be rotated in place — you generate a new one, deploy it, then revoke the old one. The Console makes this convenient: from the token list, click ⋯ → Rotate. Cloud Digit creates a new token with the same scope and a 7-day grace window during which both work, so you have time to deploy the new value before the old one stops.
Service accounts¶
Project settings → Service accounts → + New service account.
Service accounts page inside a project. Each row is a non-human identity.
The form:
| Field | Notes |
|---|---|
| Name | e.g. ci-deployer, monitoring-agent — surfaces in audit logs |
| Description | What this account is for; visible to other admins |
| Project scope | Locked to the current project (use org-level service accounts via Org settings → Service accounts for cross-project use) |
| Role | Project Admin / Member / Read-only — same options as user project roles |
| Tag selector (optional) | Restrict the account to resources matching specific tags |
After creating the service account, you issue a token for it (same flow as a personal token, scoped to the service-account identity). A service account can have multiple active tokens — useful when you're rotating, or running parallel deployers across regions.
Service-account access keys (S3)¶
For Object Storage, service accounts can also have S3-style access key / secret key pairs in addition to OIDC API tokens. Issue from Service accounts → choose account → Access keys → + New key. These are S3-compatible — drop them into any AWS SDK with the right endpoint URL.
Using a token¶
CLI¶
```bash cd configure # interactive — prompts for token
or¶
export CD_API_TOKEN="cd_xxxxxxxx..." # for one-off invocations cd compute server list ```
Terraform¶
hcl provider "clouddigit" { region = "bd-dha-1" # token via env var CD_API_TOKEN }
Raw HTTP¶
bash curl -H "Authorization: Bearer cd_xxxxxxxx..." \ https://api.bd-dha-1.clouddigit.ai/v1/compute/servers
OpenStack / S3¶
The same OIDC-issued token also works as a Keystone token (OpenStack APIs) and the S3 path uses access keys instead of bearer tokens.
Token best practices¶
| Practice | Why |
|---|---|
| Shortest practical expiry | A leaked 30-day token is much less damaging than a leaked never-expires token |
| One token per workload | Easier to revoke when one workload is decommissioned |
| IP allow-listing for CI | Restrict to your CI runners' IPs — defends against credential leaks |
| Never the same token across environments | Production tokens shouldn't work in staging, and vice versa |
| Rotate quarterly minimum | Aligns with BB ICT 4.0 §10 (cryptography & key management) |
| Use service accounts for everything non-interactive | Survives staff turnover; cleaner audit trail |
Revoking¶
From the token list (Account → API tokens for personal, or Service accounts → tokens for service):
- Click ⋯ on the token row
- Revoke
- Confirm
Revocation is immediate — the next API call with that token gets 401 Unauthorized within ~5 seconds (token caches at the edge are sub-second).
For emergency revocation of all of a user's tokens at once: org Admin / Owner → Members → ⋯ → Revoke all tokens. Useful when a laptop is lost.
Audit trail¶
The audit log records, for every API call:
- Token name + prefix (never the full secret)
- Caller identity (user email or service-account name)
- API method + path + parameters
- Result (status code, error code)
- Source IP
- Timestamp
Export from the audit log or push to your SIEM.