Service Tokens are an experimental feature, and may be significantly changed or even removed completely in a future release. 

Service Tokens are currently implemented as an optional plugin, and must be enabled. Once enabled, Service Tokens will be available for all COs on the platform that have CO Services defined.


CO Service Tokens are an implementation of application specific passwords. CO Service Tokens are based on Registry Services.


  1. Define a CO Service for each application that Tokens will be enabled for.
  2. Enable Tokens for each CO Service via Configuration >> Service Token Settings. Set an appropriate token type.
  3. Each CO Person who wants to set a Token can access token generation via their identity drop down menu (from their name in the top menu bar), via Service Tokens >> CO.
    1. After clicking Generate for the desired service, the Service Token will be displayed once, and should be immediately copied to the desired application client. Subsequently, a new Token may be generated, but it is not possible to view the current token.


There are various restrictions with the current implementation:

  1. Only plaintext tokens of 8 or 15 characters are supported.
  2. Once set, a token cannot be revoked completely, though it can be changed.
  3. Although provisioning is initiated when a Service Token is set, provisioners do not currently have access to the Service Token records via the normal mechanism for accessing provisioning data. In other words, there is no out of the box mechanism for accessing Service Tokens. A custom provisioner must be written.
  4. Although administrators can technically assign tokens on behalf of a user, there is no link from the CO Person canvas page to do so.


See Also