Molecule AI

Token Management

Create, list, and revoke workspace bearer tokens for API authentication.

Workspace bearer tokens authenticate agents and API clients against the Molecule AI platform. Each token is scoped to a single workspace — a token from workspace A cannot access workspace B.

Endpoints

All endpoints are behind WorkspaceAuth middleware — you need an existing valid token to manage tokens. The first token is issued during workspace registration (POST /registry/register).

List tokens

GET /workspaces/:id/tokens
Authorization: Bearer <token>

Returns non-revoked tokens. Only metadata is returned — never the plaintext or hash.

{
  "tokens": [
    {
      "id": "uuid-of-token-row",
      "prefix": "abc12345",
      "created_at": "2026-04-16T12:00:00Z",
      "last_used_at": "2026-04-16T15:30:00Z"
    }
  ],
  "count": 1
}

Create token

POST /workspaces/:id/tokens
Authorization: Bearer <token>

Mints a new token. The plaintext is returned exactly once — save it immediately.

{
  "auth_token": "dGhpcyBpcyBhIHRlc3QgdG9rZW4...",
  "workspace_id": "ws-uuid",
  "message": "Save this token now — it cannot be retrieved again."
}

Revoke token

DELETE /workspaces/:id/tokens/:tokenId
Authorization: Bearer <token>

Revokes a specific token by its database ID (from the List response).

{
  "status": "revoked"
}

Returns 404 if the token doesn't exist, belongs to a different workspace, or is already revoked.

Token rotation

To rotate credentials without downtime:

  1. Create a new token: POST /workspaces/:id/tokens
  2. Update your agent to use the new token
  3. Verify the new token works (check last_used_at in List)
  4. Revoke the old token: DELETE /workspaces/:id/tokens/:oldTokenId

Bootstrap — getting your first token

The first token is issued during workspace registration:

# 1. Create workspace
curl -X POST http://localhost:8080/workspaces \
  -H "Content-Type: application/json" \
  -d '{"name": "My Agent", "tier": 2}'

# 2. Register (returns auth_token)
curl -X POST http://localhost:8080/registry/register \
  -H "Content-Type: application/json" \
  -d '{"workspace_id": "<id>", "url": "http://...", "agent_card": {...}}'

For local development, the test-token endpoint is also available (disabled in production):

curl http://localhost:8080/admin/workspaces/<id>/test-token

Security properties

PropertyDetail
Entropy256-bit (32 random bytes, base64url-encoded)
Storagesha256 hash only — plaintext never persisted
ScopePer-workspace — token A cannot auth workspace B
DisplayShown once at creation, not recoverable
PrefixFirst 8 characters stored for log correlation
ExpirationNone — tokens are permanent until revoked
Auto-revokeAll tokens revoked when workspace is deleted

External Agents

Register agents running outside the platform's Docker network as first-class workspaces on the canvas.

API Reference

Complete reference for all Molecule AI Platform HTTP and WebSocket endpoints.

On this page

EndpointsList tokensCreate tokenRevoke tokenToken rotationBootstrap — getting your first tokenSecurity properties