# Authentication

This article covers authenticating a Celigo API using a bearer token. To authenticate a third-party connector, like NetSuite or Salesforce, use the **Connection** resource. Every request to a Celigo API requires a bearer token.

```http
Authorization: Bearer <your-api-token>
```

## Token types

The **Auto purge token** field controls how long a token lives before it is automatically deleted: 1 hour, 4 hours, 1 day, 4 days, 10 days, 30 days, or never.

| Type            | Who can issue        | When to use                                                                             |
| --------------- | -------------------- | --------------------------------------------------------------------------------------- |
| **Full access** | Account owner, admin | Trusted server-to-server automation.                                                    |
| **Custom**      | Account owner, admin | Least-privilege access to specific connections, exports, imports, APIs, or MCP servers. |

## Create a token (UI)

1. **Resources → API tokens → + Create API token**.
2. Name it something that tells you where it's used: `ci-deploy-bot`, `local-dev-tyler`, `terraform-stack`.
3. Set **Auto purge token**. Short-lived is safer.
4. Choose **Full access** or **Custom**.
5. If **Custom**, use the dropdowns under each resource category (Connections, Exports, Imports, APIs, MCP servers) to select only the specific resources the token should access.
6. Click **Save**, then copy the token immediately. It cannot be retrieved later.

## Rotating tokens

Tokens don't auto-rotate. Treat them like database passwords:

* Store them in your secrets manager, not in source code.
* Rotate on a schedule (quarterly is a reasonable default) and whenever a team member with access to the secret leaves.
* Create the new token **first**, roll it out to your deploys, and only then delete the old one — deleting invalidates immediately.

## Custom-scoped tokens

A Custom token restricts access to specific resource instances you select during creation. Under **Token permissions → Custom**, each resource category has a multi-select dropdown where you pick exactly which resources the token can reach:

| Category        | What you're selecting           |
| --------------- | ------------------------------- |
| **Connections** | Individual connection resources |
| **Exports**     | Individual export resources     |
| **Imports**     | Individual import resources     |
| **APIs**        | Individual API resources        |
| **MCP servers** | Individual MCP server resources |

If a resource isn't selected, the token cannot access it. Categories left empty grant no access to that resource type.

## Testing a token

{% tabs %}
{% tab title="cURL" %}

```bash
curl -s https://api.integrator.io/v1/tokenInfo \
  -H "Authorization: Bearer $CELIGO_API_TOKEN" \
  -w "\n--\nstatus=%{http_code}\n"
```

{% endtab %}

{% tab title="Node.js" %}

```javascript
const res = await fetch("https://api.integrator.io/v1/tokenInfo", {
  headers: { Authorization: `Bearer ${TOKEN}` }
});
console.log(`status=${res.status}`);
```

{% endtab %}

{% tab title="Python" %}

```python
res = requests.get(
    "https://api.integrator.io/v1/tokenInfo",
    headers={"Authorization": f"Bearer {TOKEN}"},
    timeout=10,
)
print(f"status={res.status_code}")
```

{% endtab %}

{% tab title="Celigo CLI" %}

```bash
celigo tokenInfo get
```

{% endtab %}
{% endtabs %}

| Status | Meaning                                                       |
| ------ | ------------------------------------------------------------- |
| `200`  | Token is valid. Works for both Full access and Custom tokens. |
| `401`  | Token is missing, malformed, expired, or revoked.             |

See [Errors & status codes](/api/using-the-api/errors.md) for full details.

## Related

* [Environments & regions](/api/getting-started/environments.md) — tokens are per-tenant; US tokens do not work on EU.
* [Errors & status codes](/api/using-the-api/errors.md) — what the API returns for every auth failure mode.
* [CLI: Authenticate](https://developer.celigo.com/cli/setup/authenticate) — how to wire the same token into the CLI.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://developer.celigo.com/api/getting-started/authentication.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.