The API Management section allows you to create and manage API tokens used for authenticating integrations with the Ravnur Media Platform.
API tokens replace the need for user accounts with API permissions. Instead of logging in as a user, external applications use a dedicated API token to obtain a short-lived access token for making API calls.
In this article:
Exchange the API token for an access token
Refresh the token when it expires
API Tokens concept
- Token-Based access control: Generate API tokens with specific roles and scopes to limit access using Role.
- Granular permissions: Use Scope to limit the token to a specific application.
You do not need to create a user account with API permissions to access the Ravnur API.
All API authentication and access control are handled through API tokens and access tokens.
Review existing API tokens
You can view tokens for a single application or all applications.
- Application view: In the application switcher (top left), select an application, then navigate to Settings > API management to view tokens scoped to that application only.
- Root view: Use Admin portal > API Management to see and manage tokens across all applications.
The API tokens list displays:
- Name
- Creation date
- Creator
- Expiration date
- Role (corresponds to defined roles in your Roles settings)
- Scope (the application this token can manage)
- Status ("Valid" unless expired)
Reminder: The Scope defines which application the token can access. The Role defines what the token can do within that application.
Create a token
1. Go to Settings > API Management.
2. Click Create API Token.
3. In the creation pop-up, provide:
- Token name: a descriptive Token name.
- Scope: choose the application this token can access.
- Role assignment: pick the role that sets allowed actions.
- Validity period: choose an expiration period.
Role assignment note:
See the API Permissions Matrix for a detailed breakdown of which permissions are required for each API action and entity.
4. Select Create. A token value is generated.
5. Copy the token now and store it in a secure location.
6. Check the confirmation box to acknowledge you’ve saved the token, then select Close.
Important: For security reasons, the full token is typically displayed only once at creation and cannot be viewed again later. If you lose it, create a new token and delete the old one.
Replace API tokens
Use this when a token is expiring, or as part of regular security hygiene.
To replace an existing token:
1. Create a new API token following the steps above.
2. Update all integrations that are connected to RMP to use the new token.
3. Test that all integrations work with the new key.
4. Delete the old key from the API Management list.
Caution: Deleting a token immediately breaks any integration still using it. Confirm all integrations have been updated with a new token first.
Use API tokens
Once you create an API token, use it to obtain an access token for authentication.
All integrations with the Ravnur API should use this token-based flow.
Exchange the API token for an access token
Endpoint:
POST /api/v1.0/tokenRequest body:
{
"apiKey": "your_api_key"
}Response:
The response returns an access token and a refresh token:
{
"accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}Use the accessToken in the Authorization header for all subsequent API calls:
Authorization: Bearer <accessToken>
Refresh the token when it expires
When the token expires, you can refresh it using the endpoint:
Endpoint:
POST /api/v1.0/refreshRequest body:
{
"refreshToken": "your_refresh_token"
}The response will return a new access token.