Automate

Anything you can do in the App, you can do against the API. Personal access tokens are how non-interactive code authenticates; the four-axis scope cube is how you constrain what those tokens can do.

Create a personal access token

Mint a PAT from the App's API explorer. Stash the secret once — it can't be re-read.

Scope a token

Four axes — method × path × tenant × account. Pick the smallest cube that lets the job run.

Exchange a PAT for a JWT

Long-lived PAT becomes a short-lived JWT. The standard move for systems that don't want to carry the secret in every request.

When to reach for the API instead of the App

You're scripting rule changes from a config repo.
You're pulling analytics into a custom dashboard or alert.
You're integrating with a sibling service — your ETL platform posts a marker after every load.
You're running a one-off audit and want output you can grep.

Anything else — a single rule edit, an investigation, an invite — stays in the App. The API surface and the App surface are equivalent in what they can do; one is meant for hands-on work, the other for software.

The audit trail follows the token

Every API call carries the identity behind the token: the person who minted it, the tenant it was scoped to, the action taken. Tokens that aren't tied to a real person (service accounts) get a clearly-named PAT and are audited as that PAT — the audit log doesn't lose its meaning when the actor is a script.

Mint your first PAT

Open the API explorer in the App. The mint flow is one form.

Create a personal access token