Tokens & scopes
Scoped API tokens let you hand an automation or AI agent exactly the power it needs — and nothing more. A token can be limited to specific actions and even to a single app.
Create a token
wess token create deploybot --scopes deploy,logs --app blog # → wess_xxxxxxxx (shown once)
Use it by setting WESS_TOKEN, or send it as Authorization: Bearer wess_... directly to the API.
Scopes
| Scope | Grants |
|---|---|
read | list apps, status, doctor |
deploy | create apps and deploy |
logs | read app logs |
secrets | read/set/remove secrets |
destroy | destroy apps |
sandbox | run sandbox code |
App-binding
Pass --app <name> to lock a token to one app. An app-bound token can't touch other apps or platform-wide endpoints — ideal for a per-app CI deploy key or an agent working on a single project.
Manage
wess token list wess token revoke <id>
Tokens are stored hashed — we can't show a token again after creation. Lost one? Revoke it and make a new one.