> ## Documentation Index
> Fetch the complete documentation index at: https://help.noxity.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Manage API Tokens

> Create, revoke, and scope cPanel API tokens. Authenticate scripts and integrations without sharing your password.

API tokens are how you let scripts, monitoring tools, deployment runners, or anything else outside cPanel call the cPanel API on your behalf. The token replaces your password when calling [UAPI](https://api.docs.cpanel.net/) or `WHM API` endpoints, and you can revoke it any time without changing your login password.

Open it from cPanel home → **Security** → **Manage API Tokens**.

<Frame caption="Manage API Tokens with the Generate Token button and the list of existing tokens">
  <img src="https://mintlify.s3.us-west-1.amazonaws.com/noxity/images/cpanel/security-settings/manage-api-tokens/listing-light.png" alt="API Tokens page with active tokens and the Generate button" className="block dark:hidden" />

  <img src="https://mintlify.s3.us-west-1.amazonaws.com/noxity/images/cpanel/security-settings/manage-api-tokens/listing-dark.png" alt="API Tokens page with active tokens and the Generate button" className="hidden dark:block" />
</Frame>

## Generate a token

<Steps>
  <Step title="Click Create">
    The token form opens.
  </Step>

  <Step title="Give it a name">
    Pick a name that tells future-you what the token is for: `deploy-runner-prod`, `uptime-check`, `wp-toolkit-backups`. Names are free-form; only you see them.
  </Step>

  <Step title="Set an expiry (optional)">
    Pick a date the token should stop working on. Leave blank for a token that lives until you revoke it manually. For a one-off job, an expiry is the safer default.
  </Step>

  <Step title="Click Create">
    cPanel shows the token string **once**. Copy it now. It's not shown again, and there's no way to retrieve it later. If you lose it, generate a new one and revoke the lost one.

    <Frame>
      <img src="https://mintlify.s3.us-west-1.amazonaws.com/noxity/images/cpanel/security-settings/manage-api-tokens/created-token-light.png" alt="Generated API token shown once after creation" className="block dark:hidden" />

      <img src="https://mintlify.s3.us-west-1.amazonaws.com/noxity/images/cpanel/security-settings/manage-api-tokens/created-token-dark.png" alt="Generated API token shown once after creation" className="hidden dark:block" />
    </Frame>
  </Step>
</Steps>

## Use a token

Pass the token in the `Authorization` header on every API call. Format: `Authorization: cpanel <username>:<token>`.

```bash theme={}
curl -H "Authorization: cpanel myuser:ABCDEF1234567890" \
  "https://your-server.example.com:2083/execute/Email/list_pops"
```

You can also pass it as `--user`:

```bash theme={}
curl -u myuser:ABCDEF1234567890 \
  "https://your-server.example.com:2083/execute/Email/list_pops"
```

The token authenticates as your cPanel user. It can do anything you can do in the UI, with no scope filter on the cPanel side.

## Revoke a token

The list at the bottom of the page shows every active token with a **Revoke** action. Click it. The token stops working immediately. Anyone holding it gets `401 Unauthorized` on the next call.

Edit a token instead of revoking if you only need to change the name or the expiry.

## What the token list shows

Each row in the token list has:

* **Name.** What you typed at creation. Editable.
* **Created.** Timestamp the token was issued.
* **Expires.** The expiry date you set, or **Never**.
* **Last Used.** Last time the token authenticated a request. Useful for spotting tokens that nothing is actually using, those are safe to revoke.

## Common patterns

### One token per integration

Don't reuse a single token across multiple tools. If one leaks, you can revoke it without breaking the others. Naming convention helps: `<tool>-<env>-<purpose>`.

### Short-lived tokens for CI

Generate a token at the start of a deploy, set the expiry one day out, run the deploy, let it expire. Even better, revoke it at the end of the run. No long-lived secret sitting in a CI variable.

### Pair with WHM IP whitelisting

If a token is for a machine with a static IP (a deploy box, an uptime monitor), set the whitelist to that IP. A leaked token from anywhere else is useless.

## Common issues

<AccordionGroup>
  <Accordion title="401 Unauthorized on every request">
    Three usual causes: token typo, wrong username, or the token has been revoked. Compare the token against what you copied at creation; if you can't, generate a new one.
  </Accordion>

  <Accordion title="The token works in cPanel calls but not WHM">
    cPanel API tokens are different from WHM API tokens. cPanel tokens are managed in this tool, scoped to your cPanel account; WHM tokens are managed by the server admin via WHM. On Noxity shared hosting, you only have cPanel API access.
  </Accordion>

  <Accordion title="I lost the token I generated">
    cPanel doesn't store the plaintext token, only a hash. There's no recovery. Generate a new one, revoke the lost one.
  </Accordion>

  <Accordion title="Can I scope a token to one feature?">
    Not in the cPanel token UI. The token can do anything the user can. Treat each token like a full credential and rotate often.
  </Accordion>
</AccordionGroup>

## Need a hand?

<CardGroup cols={2}>
  <Card title="Open a ticket" icon="life-ring" href="https://members.noxity.io/submitticket.php">
    Best for anything that needs an account check or a config change on our end.
  </Card>

  <Card title="Live chat" icon="messages" href="https://noxity.io/contact">
    Faster for quick questions during business hours.
  </Card>
</CardGroup>
