From ce55e68e63ceb9dd29914a710f6ac2562200d2b9 Mon Sep 17 00:00:00 2001 From: Aamod007 Date: Sun, 14 Jun 2026 16:42:35 +0530 Subject: [PATCH] docs: clarify token privilege scoping Signed-off-by: Aamod007 --- content/en/cloud/concepts/identity-and-security/tokens.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/content/en/cloud/concepts/identity-and-security/tokens.md b/content/en/cloud/concepts/identity-and-security/tokens.md index 4e39d0c946f..a54c6c8ea5b 100644 --- a/content/en/cloud/concepts/identity-and-security/tokens.md +++ b/content/en/cloud/concepts/identity-and-security/tokens.md @@ -22,6 +22,12 @@ Access tokens are opaque tokens that conform to the OAuth 2.0 framework. They co Layer5 Cloud API tokens are scoped to your user account, not to a specific organization. This means a single API token provides access to all organizations you are a member of, similar to how [GitHub Personal Access Tokens](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens) work. For users who belong to multiple organizations, see [Specifying Organization Context]({{< ref "cloud/reference/api-reference/_index.md#specifying-organization-context" >}}) in the REST API documentation to learn how to control which organization your API requests operate on. {{< /alert >}} +## Privilege Scoping + +API tokens in Layer5 are **identity-scoped**. This means they inherently carry the exact same privileges, roles, and permissions as your user account. + +Layer5 does not currently support fine-grained, token-specific privilege scopes (for example, generating a strictly "read-only" token if you have "read-write" permissions). The token grants the bearer the same level of access you have across all environments and organizations you are a member of. + ## Creating tokens You can create a token for your user account at any time. Tokens never expire, but can be revoked. You can also give the token a descriptive label. This label will be shown in the list of tokens on your user account's security tokens page.