API Tokens

An API token is a token string and optional password that can be used to log into a server. When logged in, the token will impersonate the user that created it, and all file operations will occur as that user. Permissions and sandbox path access, however, can be restricted so that the token user does not have all the same rights as the original user.

Common use cases include creating a token with access only to a specific directory (shared folders), or creating a token for use in scripting so that the user’s credentials remain private. Tokens are time limited, and can be revoked at any time, so can be used as a type of simple user management. Keep in mind, however, that file permissions are still restricted to the original user.

API tokens can be distributed to users as links, allowing the user to connect and log onto a server without needing any configuration other than the token password. Credentials of the user who created the link are never shared with the link recipients.

Expired tokens will be removed from the server within two hours of expiry.


If your server is running behind firewall, you may need to specify an --external-address, so the client can generate correct links.


If you wish to disable the API tokens functionality, use --api-disable-api-tokens.

API tokens can be created using the JetStream Client or using the JetStream API.


On multi-user Windows systems, if not using the default service settings, the Act as part of the operating system (SeTcbPrivilege) right may be required.