'%20fill='%23fff'%3e%3cpath%20d='M24%20364.337V24h141.909c25.481%200%2046.833%203.601%2064.056%2010.803%2017.222%207.191%2030.183%2017.279%2038.882%2030.24s13.049%2027.972%2013.049%2045.041c0%2012.961-2.72%2024.513-8.148%2034.645-5.429%2010.142-12.906%2018.534-22.431%2025.174-9.526%206.651-20.548%2011.299-33.069%2013.953v3.325c13.732.661%2026.451%204.383%2038.134%2011.134%2011.684%206.762%2021.077%2016.155%2028.168%2028.17%207.092%2012.025%2010.638%2026.231%2010.638%2042.628%200%2018.281-4.647%2034.601-13.952%2048.939-9.305%2014.35-22.762%2025.648-40.381%2033.908-17.607%208.248-38.992%2012.377-64.143%2012.377H24zm82.258-200.414h45.534c8.975%200%2016.947-1.497%2023.929-4.493s12.432-7.312%2016.374-12.961c3.931-5.65%205.902-12.466%205.902-20.439%200-11.409-4.041-20.384-12.135-26.926-8.082-6.53-18.995-9.801-32.738-9.801h-46.866v74.62zm0%20134.109h50.853c17.839%200%2030.987-3.381%2039.466-10.131%208.479-6.762%2012.708-16.178%2012.708-28.247%200-8.755-2.049-16.309-6.145-22.686-4.096-6.365-9.922-11.298-17.443-14.789-7.532-3.491-16.561-5.231-27.089-5.231h-52.339v81.095l-.011-.011zM388.865%2024v340.337h-81.256V24h81.256zm181.618%20230.159V109.082h81.091v255.255h-77.435v-47.529h-2.665c-5.649%2015.616-15.263%2028.004-28.829%2037.145-13.578%209.14-29.941%2013.71-49.102%2013.71-17.398%200-32.683-3.986-45.864-11.97-13.181-7.973-23.433-19.14-30.745-33.489s-11.023-31.165-11.133-50.437V109.082h81.256v146.739c.11%2013.854%203.766%2024.767%2010.968%2032.74s17.002%2011.96%2029.413%2011.96c8.082%200%2015.372-1.795%2021.847-5.407%206.486-3.601%2011.628-8.865%2015.45-15.781%203.821-6.927%205.737-15.318%205.737-25.174h.011zm224.376%20115.002c-26.704%200-49.718-5.286-69.044-15.869-19.337-10.583-34.181-25.703-44.532-45.371-10.362-19.668-15.537-43.069-15.537-70.215s5.208-49.445%2015.614-69.212c10.418-19.779%2025.096-35.174%2044.037-46.197s41.261-16.53%2066.962-16.53c18.17%200%2034.787%202.83%2049.851%208.48s28.08%2014.007%2039.048%2025.086%2019.501%2024.734%2025.591%2040.966%209.14%2034.81%209.14%2055.756v20.273H694.145v-47.199h146.226c-.11-8.633-2.159-16.342-6.145-23.104s-9.448-12.047-16.374-15.869-14.866-5.726-23.841-5.726-17.233%202.015-24.424%206.057c-7.202%204.052-12.906%209.537-17.112%2016.452-4.207%206.927-6.431%2014.757-6.652%2023.512v48.025c0%2010.417%202.049%2019.525%206.145%2027.332s9.911%2013.876%2017.454%2018.193c7.532%204.317%2016.506%206.486%2026.924%206.486%207.201%200%2013.731-1.002%2019.612-2.995%205.869-1.993%2010.912-4.923%2015.119-8.81%204.206-3.876%207.367-8.645%209.47-14.294l74.616%202.158c-3.105%2016.728-9.889%2031.264-20.361%2043.62s-24.182%2021.937-41.129%2028.743c-16.947%206.816-36.559%2010.219-58.825%2010.219l.011.033z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='A'%3e%3cpath%20fill='%23fff'%20transform='translate(24%2024)'%20d='M0%200h892v345.161H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Create a Token
Generate a personal access token with createPersonalAccessToken and capture its one-time Secret.
Use the createPersonalAccessToken mutation to generate a new personal access token (PAT) for the Blue API. The token is created against your own user account and is the credential you supply in the X-Bloo-Token-ID and X-Bloo-Token-Secret request headers. In the API a token is a PersonalAccessToken object.
The create response is the only place the plaintext Secret is ever returned — see Capture the Secret now below before you run this.
Request
The smallest call passes only a name. Select uid (the Token ID for your headers) and secret (the plaintext value, returned only here).
mutation CreateToken {
createPersonalAccessToken(input: { name: "CI deploy bot" }) {
id
uid
name
secret
createdAt
}
}To make a token auto-expire, pass an expiredAt timestamp:
mutation CreateExpiringToken {
createPersonalAccessToken(
input: { name: "Quarterly export job", expiredAt: "2026-12-31T23:59:59Z" }
) {
uid
name
secret
expiredAt
}
}This mutation requires an authenticated user session (Firebase/JWT login), so it needs only the X-Bloo-Company-ID header alongside your session token — not the X-Bloo-Token-* headers. See Permissions.
Parameters
CreatePersonalAccessTokenInput
| Parameter | Type | Required | Description |
|---|---|---|---|
name | String! | Yes | A label for the token, shown in your token list. Max 50 characters. Trimmed, HTML-escaped, and stripped of links and tags on save. |
expiredAt | DateTime | No | Optional expiry timestamp (ISO 8601). After this moment the token stops authenticating — auth rejects it and the request is treated as unauthenticated. Omit for a token that never expires. |
scopes | String | No | Reserved — not yet enforced. The value is validated but is not stored or checked anywhere; it grants no scope-limiting today. Every token currently has the full access of its owning user. Do not rely on it to restrict a token. |
Response
The mutation returns the created PersonalAccessToken. The secret field is populated only on this response.
{
"data": {
"createPersonalAccessToken": {
"id": "clm4n8qwx000008l0g4oxdqn7",
"uid": "clm4n8qwx000108l0h2pzeabc",
"name": "CI deploy bot",
"secret": "pat_clm4n8qwx000208l0k7rytxyz",
"createdAt": "2026-05-29T14:02:11.000Z"
}
}
}Returns
PersonalAccessToken fields relevant to this mutation:
| Field | Type | Description |
|---|---|---|
id | ID! | Internal record ID of the token. Use this with deletePersonalAccessToken to revoke it. Not a header value. |
uid | String! | The unprefixed Token ID. Send this as the X-Bloo-Token-ID header. |
name | String! | The sanitized label you supplied. |
secret | String | The pat_-prefixed plaintext Secret. Send this as the X-Bloo-Token-Secret header. Non-null only on this create response — every other read returns null. |
scopes | String | Always null in practice (the input value is not persisted). Reserved. |
expiredAt | DateTime | The expiry you set, or null if the token never expires. |
lastUsedAt | DateTime | Last-used timestamp for auditing. null on a freshly created token. |
createdAt | DateTime! | When the token was created. |
updatedAt | DateTime! | When the token was last modified. |
user | User! | The owning user — always you. |
The secret (pat_...) is shown exactly once, here. Blue stores only a bcrypt hash of it, so it is unrecoverable afterward — not even Blue can show it to you again. Copy it into your secret store immediately. If you lose it, revoke the token and create a new one. The List Tokens query always returns secret: null.
Mapping fields to headers
The two values you read here map directly to the request headers used by every authenticated API call:
| Create response field | Request header | Example value |
|---|---|---|
uid | X-Bloo-Token-ID | clm4n8qwx000108l0h2pzeabc |
secret | X-Bloo-Token-Secret | pat_clm4n8qwx000208l0k7rytxyz |
The pat_ prefix belongs to the Secret, not the Token ID. See Making Requests for a full authenticated request.
Errors
| Code | When |
|---|---|
FORBIDDEN | The request is authenticating with a token (X-Bloo-Token-ID header present) instead of a user session. Token creation requires a session — see Permissions. |
BAD_USER_INPUT | name is missing, not a string, or exceeds 50 characters; or expiredAt is not a valid date. |
UNAUTHENTICATED | No valid session credential was supplied at all. |
Permissions
Creating a token requires an authenticated user session — the Firebase/JWT login the app uses, not token auth. The resolver rejects the request with FORBIDDEN if it detects PAT headers (X-Bloo-Token-ID), so you cannot mint a new token using an existing token. Generate tokens from a logged-in session. The same guard applies to revoking a token.
Tokens are always owned by the calling user. A token grants that user’s full access; there is no scope narrowing today (see the scopes note above).
Related
- Personal Access Tokens — overview of the Token ID / Secret split and the
X-Bloo-*headers. - List Tokens — page through and audit your tokens (
secretis alwaysnullthere). - Revoke a Token — delete a token by
id; it stops authenticating immediately. - Authentication — the in-app flow for generating a token.
- Making Requests — send an authenticated request with the Token ID and Secret.