Authentication
Generate and use API tokens to authenticate your requests.
The API uses bearer tokens (personal access tokens). You generate a token in the app, then send it with every request.
Generate a token
Go to Settings → API tokens.
The tab only appears when the public API feature is enabled. If you don't see it, the API is not yet available on your account.
Who can generate tokens
| Role | Can generate tokens |
|---|---|
| Owner | Yes |
| Admin | Yes |
| Member | No — read-only view only |
Token creation requires a Pro or Studio plan (including trial). Accounts without an active paid tier see an upsell instead of the form.
Steps
- Select Generate new token.
- Enter a name for the token — for example, "Zapier sync" or "Backup script". Names can be up to 100 characters.
- Optionally, scope the token to a team member — see Scoped tokens below.
- Select Create token.
The full token is shown only once, immediately after creation. Copy it and store it somewhere safe — OneTake keeps only a hashed copy and cannot show it again. If you lose it, revoke the token and generate a new one.
After creation, the new token appears at the top of your token list, identified
by its name and a shortened prefix (for example, onetake_pro_ab12cd34…).
Scoped tokens
By default, a token acts as the studio member who generated it — it has the same access that member has. You can instead scope a token to a specific team member, so API requests made with that token act as that person rather than as you.
This is useful when you want a script or integration to read data as a particular engineer without sharing your own credentials.
How to scope a token
When your studio has more than one member, a Scope to team member dropdown appears in the create-token form. Choose a member from the list to scope the token to them. The default option — Full studio access (you) — leaves the token unscoped (it acts as you, the issuer).
The dropdown is not shown when the studio has only one member, since there is nobody else to scope to.
Scope validation
The scope target must be a current member of the studio. If the target is not a member, the token is not created and you receive an error.
Identifying scoped tokens in the list
A scoped token shows a Scoped to [name] badge below its name and prefix in the token list. An unscoped token shows no badge.
How scoped tokens behave at the API
When you make a request with a scoped token, the API acts as the scoped member — not as the token's issuer. The effective user is the person the token was scoped to.
An unscoped token acts as its issuer.
Scope and member removal
If a scoped member is removed from the studio, the scope_user_id on the token
is set to null automatically. After that, the token acts as its issuer instead.
Use a token
Send the token in the Authorization header as a bearer token:
curl -H "Authorization: Bearer onetake_pro_8Kf2pQ…aZ91xR" \
https://api.onetakeapp.com/v1/itemsThe Bearer scheme is matched case-insensitively, so bearer and BEARER
also work.
Token format
Tokens follow this pattern:
onetake_<tier>_<32 characters>- The tier segment is
profor Pro-family accounts (trial, Pro, Pro + Insure) andstudiofor Studio accounts. - The 32-character secret is random and base62-encoded (digits, uppercase, and lowercase letters).
The tier segment in the token is for display only. The API always reads the effective plan from the studio's subscription at authentication time.
Manage tokens
From Settings → API tokens you can:
- See each token's creation date — shown on every token row.
- See each token's last-used time — each token row shows when it was last used, or Never used if no calls have been made with it yet.
- See each token's revocation date — shown when a token has been revoked.
- View a token's recent calls — select Activity on any token row to expand a table of the last 100 requests, showing the timestamp, endpoint, HTTP status, and response time. Select Hide activity to collapse it.
- Revoke a token — see Revoke a token below.
Authentication errors
| Status | Cause | Notes |
|---|---|---|
401 | Missing header, malformed token, unknown token, revoked token, or hash mismatch. | Response includes WWW-Authenticate: Bearer. All cases return the same generic message to avoid leaking which tokens exist. |
403 | Valid token, but the studio's plan no longer includes API access (for example, downgraded to an expired trial). | No WWW-Authenticate header. |
500 | An unexpected error during token lookup. | Quote the request_id when contacting support. |
Revoke a token
Revoking a token stops it from working immediately. Any request using the token after revocation is rejected.
To revoke a token:
- Find the token in the list under Settings → API tokens.
- Select Revoke on the token row.
- A confirmation prompt appears inline. Select Confirm to revoke, or Cancel to go back without changing anything.
Once confirmed, the token row shows a Revoked badge and the date it was revoked. The Revoke button is no longer shown for that token.
The revoked token record is kept for your history — the row is not deleted.
Revocation is idempotent. If a token has already been revoked (for example, by another session), the action still returns successfully and shows the existing revoked record.
Only owners and admins can revoke tokens. Members do not see the Revoke button.
Token access by plan and role
| Owner | Admin | Member | |
|---|---|---|---|
| Pro | Create & view | Create & view | Read-only note |
| Studio | Create & view | Create & view | Read-only note |
| Pro + Insure | Create & view | Create & view | Read-only note |
| Trial | Create & view | Create & view | Read-only note |
| No active plan | Upsell shown | Upsell shown | Upsell shown |
Token issuance and revocation are both recorded in your studio's audit log.