How to configure a Personal Access Token (PAT)

View as Markdown

Find out how to create, use, and revoke Personal Access Tokens (PATs) for OVHcloud IAM local users via the Control Panel, API, or CLI

Objective

Personal Access Tokens (PATs) let an OVHcloud IAM local user authenticate with the OVHcloud API and product backend APIs without sharing their login credentials. A PAT is a bearer token whose permissions are defined by the IAM policies attached to the user.

Unlike service account credentials, which are designed for machine-to-machine interactions, PATs are intended for scripts or applications acting on behalf of a local user.

This guide explains how to configure a Personal Access Token (PAT) for an OVHcloud IAM local user.

Requirements


OVHcloud Control Panel Access

  • Direct link:
  • Navigation path: Identity, Security & Operations > Identities

Instructions

Understand Personal Access Tokens

PATs are linked to a single local user identity. When you use a PAT, the API calls inherit the rights of that user according to the IAM policies applied to them.

Key characteristics:

  • Authentication scheme: Bearer token (Authorization: Bearer <token>).
  • Expiration: By default, a PAT does not expire. You can optionally set an expiration date when creating it.
  • Revocation: Delete the PAT at any time to immediately revoke access.
  • One-time display: The token value is only shown once at creation. Store it securely.

See Identities management.

Info

If you need credentials for automated, production-grade integrations that are not tied to a human user, use a service account instead.

Create a Personal Access Token

Replace {user} with your local user login (for example, 1234-567-89/johnsmith).

Via the OVHcloud Control Panel
Via the OVHcloud API
Via the OVHcloud CLI

From the page, click the button at the end of the local user row, then select Manage tokens.

Manage tokens option in the local user actions menu

On the Manage Tokens page, click Add a token, then fill in the required fields:

FieldDetails
NameA unique name to identify the token (for example, pat-my-script).
DescriptionA short description of how the token will be used.
Expiry dateOptional. Disable the toggle for a non-expiring token, or set a duration or a fixed date.
Create a token form with name, description, and expiry date fields

Click Create to generate the token.

Warning

Copy the token value immediately and store it in a secure location. It will not be displayed again.

Use a Personal Access Token

Use the PAT as a Bearer token in the Authorization header of your HTTP requests.

To retrieve information about your OVHcloud account:

curl -H "Authorization: Bearer <your_pat>" \
  https://eu.api.ovh.com/1.0/me

Depending on the location of your account, use the appropriate API endpoint:

  • EU: https://eu.api.ovh.com/1.0/
  • CA: https://ca.api.ovh.com/1.0/

For product backend APIs that do not support the Bearer scheme, you can use hybrid authentication by prefixing the username with pat_jwt_ and supplying the token as the password:

curl -u "pat_jwt_<any_suffix>:<your_pat>" \
  https://<your_cluster>.logs.ovh.com:9200/_cluster/health?pretty

Replace <any_suffix> with any ASCII string to identify the token.

Manage and revoke tokens

List existing tokens

Via the OVHcloud Control Panel
Via the OVHcloud API
Via the OVHcloud CLI

On the Manage Tokens page, all PATs for the user are listed.

Manage Tokens page listing personal access tokens for a local user

Delete a token

Deleting a PAT immediately blocks further API calls.

Via the OVHcloud Control Panel
Via the OVHcloud API
Via the OVHcloud CLI

From the Manage Tokens page, click the button at the end of the token row, then select Delete.

Click Delete in the confirmation window to revoke the token.

Go further

Join our community of users.

Was this page helpful?