Logo

Personal Access Tokens

Personal Access Tokens (PATs) allow you to authenticate with Bailo's API and container registry programmatically. Each token can be scoped to specific models and actions, giving you fine-grained control over what the token can do.

Common questions this page answers:

  • How do I create a Personal Access Token (PAT)?
  • What permissions can I assign to a token?
  • How do I use a token with curl or the Python client?
  • How do I revoke a token?

Creating a token

Create tokens from the Authentication tab in your user settings.

  1. Navigate to User (top right) > Settings > Authentication
  2. Click Add Token
Authentication tab listing personal access tokens and add token button

The screenshot above shows the Authentication tab listing existing personal access tokens with their descriptions, access keys, and a delete button for each.

  1. Fill in the form:
    • Description - a name to help you identify this token (e.g. "CI/CD pipeline", "Local development")
    • Models - choose All models or select specific models
    • Actions - select the permitted actions this token can perform
generate personal token form

The screenshot above shows the token creation form with fields for description, model scope, and action permissions.

  1. Click Generate Token
  2. Copy both the Access Key and Secret Key immediately - the secret key is only shown once and cannot be retrieved later

Available permissions

Each token can be scoped to specific actions using these permission types.

  • model:read - View model and data card settings
  • model:write - Create and update model and data card settings
  • model:export - Export model and data card settings
  • release:read - View release information
  • release:write - Create and update releases
  • release:export - Export release information
  • access_request:read - View and list access requests
  • access_request:write - Create, approve, and comment on access requests
  • file:read - Download and view files
  • file:write - Upload and delete files
  • image:read - List and pull container (Docker) images
  • image:write - Push and delete container images
  • schema:write - Upload and modify schemas (administrators only)
  • reviewRole:read - View review roles
  • reviewRole:write - Create and update review roles

Note: Selecting a write permission automatically includes the corresponding read permission.

Token scoping

Tokens can be scoped to all models or restricted to specific models.

  • All models - the token works with every model in Bailo
  • Specific models - the token only works with the models you select

Use specific model scoping when possible to follow the principle of least privilege.

Managing tokens

View and delete existing tokens from the Authentication tab:

  1. Navigate to User > Settings > Authentication
  2. Your existing tokens are listed with their description and access key
  3. Click the delete button next to a token to revoke it

Important: Deleting a token is immediate and permanent. Any scripts or applications using that token will stop working.

Using tokens

Tokens use HTTP Basic Authentication with the access key as the username and the secret key as the password.

  • Username: the access key
  • Password: the secret key

With the Python client

from bailo import TokenAgent, Client

agent = TokenAgent(access_key="your-access-key", secret_key="your-secret-key")
client = Client("https://your-bailo-instance.com", agent=agent)

With curl

curl -u "your-access-key:your-secret-key" \
     https://your-bailo-instance.com/api/v2/models/search

With the container registry

docker login your-registry-host -u "your-access-key" -p "your-secret-key"

Security best practices

Follow these practices to keep your tokens secure.

  • Store secret keys securely - use environment variables or a secrets manager, not source code
  • Use minimum permissions - only grant the actions your workflow needs
  • Scope to specific models when possible
  • Rotate tokens regularly - delete old tokens and create new ones
  • Use separate tokens for different purposes (CI/CD, local dev, etc.)

Related pages


Copyright © Crown Copyright 2026.