Skip to main content
Personal Access Tokens are the credentials you use to authenticate with the Raydocs REST API. They’re scoped, revocable, and tied to your user account — keep them secret.

Creating a Token

1

Sign In

Sign in to your Raydocs account at raydocs.com.
2

Open Settings

Click on your profile icon and select Settings, then navigate to Access Tokens.
3

Create New Token

Click Create new token and enter a descriptive name (e.g., “Production Integration”).
4

Select Abilities

Choose the abilities (scopes) you want to grant to this token.
5

Copy Token

Click Create and copy the token value immediately.
You won’t be able to see the token again after closing the dialog. Store it securely.

Abilities

Abilities control what operations a token can perform:
AbilityGrants
workspaces-readList workspaces
workspaces-writeCreate, update or delete workspaces
workspace-users-readList members and invites
workspace-users-writeManage members and invites
templates-readList and view extraction templates
templates-writeCreate, update, or delete templates
sessions-readList sessions, documents, and results
sessions-writeCreate sessions, upload documents, run extractions
Choose the minimum set of abilities your integration requires. This follows the principle of least privilege and limits exposure if a token is compromised.

Using the Token

Send the token in the Authorization header with every API request: 
Authorization: Bearer <access_token>

Example

curl -X GET "https://api.raydocs.com/workspaces" \
  -H "Authorization: Bearer rd_live_abc123xyz..."

Revoking a Token

If a token is leaked or no longer needed:
1

Go to Settings

Navigate to Settings → Access Tokens.
2

Find Token

Locate the token you want to revoke in the list.
3

Revoke

Click Revoke next to the token.
Any API requests using a revoked token will receive 401 Unauthorized.

Best Practices

Store tokens in environment variables, secret managers (AWS Secrets Manager, HashiCorp Vault), or CI/CD secrets. Never hardcode tokens in source code. bash # Good: Environment variable export RAYDOCS_API_TOKEN="rd_live_abc123..." # In your code token = os.environ.get("RAYDOCS_API_TOKEN")
Create a dedicated token for each integration or service. This makes it easy to revoke access for a single integration without affecting others.
Never commit tokens to Git or other version control systems. Add token files to .gitignore and use secret scanning tools. gitignore # .gitignore .env .env.local secrets.json
Rotate tokens periodically, especially for production integrations. Create a new token, update your integration, then revoke the old token.
Only grant the abilities your integration actually needs. A read-only dashboard integration shouldn’t have write permissions.

Troubleshooting

Possible causes: - Token is missing from request - Token has been revoked - Token is malformed Solution: Verify the token is included correctly in the Authorization header and hasn’t been revoked.
Possible causes: - Token lacks required ability for the endpoint - Attempting to access a resource in another workspace Solution: Check that your token has the necessary abilities for the operation you’re attempting.