Personal access tokens (PATs)
Personal Access Tokens (PATs) provide secure, scoped access to the Taskurai Data Plane.
They are typically used by:
- applications that create tasks
- integrations that query state or logs
- custom tooling
- developers for local development and testing
Workers running inside Taskurai do not require PATs.
They receive internal authorization automatically.
PATs grant access to the Taskurai API.
Store them securely and never commit them to source control.
Prerequisites
- Taskurai installation (Taskurai instance, Taskurai CLI, etc.). See Taskurai Setup.
Access Scopes
Taskurai PATs only support Data Plane scopes.
Valid wildcards:
To include all scopes, user wildcards:
Data/Buildby.Taskurai/*
To include all read permissions, use wildcards:
Data/Buildby.Taskurai/*/read
Task scopes
| Scope | Description |
|---|---|
Data/Buildby.Taskurai/tasks/create | Create tasks |
Data/Buildby.Taskurai/tasks/read | List or read tasks |
Data/Buildby.Taskurai/tasks/update | Update tasks |
Data/Buildby.Taskurai/tasks/delete | Delete tasks |
Data/Buildby.Taskurai/tasks/action/dequeue | Worker dequeue access |
Data/Buildby.Taskurai/tasks/action/extend | Extend task visibility |
Data/Buildby.Taskurai/tasks/action/resume | Resume waiting tasks |
To include all task permissions, use wildcards:
Data/Buildby.Taskurai/tasks/*
Events
| Scope | Description |
|---|---|
Data/Buildby.Taskurai/events/create | Publish/create events |
Step scopes
| Scope | Description |
|---|---|
Data/Buildby.Taskurai/steps/create | Create orchestration steps |
Data/Buildby.Taskurai/steps/read | Read/query steps |
Data/Buildby.Taskurai/steps/update | Update step state |
Data/Buildby.Taskurai/steps/delete | Delete steps |
To include all step permissions, use wildcards:
Data/Buildby.Taskurai/steps/.*
State scopes
| Scope | Description |
|---|---|
Data/Buildby.Taskurai/state/create | Create state entries |
Data/Buildby.Taskurai/state/read | Read/query state |
Data/Buildby.Taskurai/state/delete | Delete state |
To include all state permissions, use wildcards:
Data/Buildby.Taskurai/state/*
Lock scopes
| Scope | Description |
|---|---|
Data/Buildby.Taskurai/locks/create | Create locks |
Data/Buildby.Taskurai/locks/read | Read locks |
Data/Buildby.Taskurai/locks/delete | Delete locks |
To include all lock permissions, use wildcards:
Data/Buildby.Taskurai/locks/*
Sensitive & Secret Data
| Scope | Description |
|---|---|
Data/Buildby.Taskurai/sensitive/read | Read sensitive data |
Data/Buildby.Taskurai/secrets/read | Read global secrets |
Logging scopes
| Scope | Description |
|---|---|
Data/Buildby.Taskurai/logs/query/read | Query logs |
Data/Buildby.Taskurai/logs/console/read | Console logs |
Data/Buildby.Taskurai/logs/system/read | System logs |
Data/Buildby.Taskurai/logs/tasks/console/read | Task console logs |
Data/Buildby.Taskurai/logs/tasks/correlation/console/read | Task correlation logs |
Data/Buildby.Taskurai/logs/commands/console/read | Command logs |
Data/Buildby.Taskurai/logs/workers/console/read | Worker console logs |
Data/Buildby.Taskurai/logs/workers/system/read | Worker system logs |
Data/Buildby.Taskurai/logs/container-images/console/read | Container image logs |
To include all log permissions, use wildcards:
Data/Buildby.Taskurai/logs/*
Managing PATs using the CLI
Creating an Access Token
To specify multiple scopes, use the --scopes option multiple times.
To create an access token, use the taskurai pat create command:
taskurai pat create \
--name "mytoken" \
--valid-minutes 43200 \
--scopes "Data/Buildby.Taskurai/tasks/*" \
--scopes "Data/Buildby.Taskurai/logs/*"
Updating an Access Token
To update an existing access token, use the taskurai pat update command:
taskurai pat update --name mytoken --valid-minutes 2500
Showing an Access Token
To view the properties of an existing access token, use the taskurai pat show command:
taskurai pat show --name mytoken
Please note that the token value is only returned when creating or updating a token.
Listing Access Tokens
To list all access tokens, use the taskurai pat list command:
taskurai pat list
Removing Access Tokens
To delete an access token, use the taskurai pat delete command:
taskurai pat delete --name mytoken
Alternatively, you can select the PAT(s) from the list using the delete command:
taskurai pat delete
Revoking Access
If you want to revoke access for a specific token, deleting the token will revoke access.
The revocation becomes effective within a 10-20 minute propagation window.
Handling PATs Securely
Local development��
For local development in C#, it is recommended to use .NET User Secrets to store and manage secrets. This way, you avoid checking secrets into source control.
Access tokens should be handled with care, as they provide access to the Taskurai API.
Hosted environments
Use secret storage such as:
- Azure Container Apps → Secrets
- Azure App Service → Application Settings
- GitHub Actions → Encrypted Secrets
- Kubernetes → Secrets