API Tokens
Create and manage scoped API tokens for programmatic access to PlayableLabs
Overview
API tokens provide programmatic access to the PlayableLabs API. Each token is scoped to a specific organization and can be restricted to specific permissions. All tokens use the pl_ prefix for easy identification.
Token Types
PlayableLabs has two ways to access API tokens:
- Organization Tokens — Created via Developers > Tokens in the header navigation. Scoped to a specific organization with fine-grained permissions.
- Personal Tokens — Accessible via Account Settings > Tokens, which redirects to the Developers > Tokens page. This is a convenience shortcut for backward compatibility.
Creating a Token
- Go to Developers > Tokens in the header navigation
- Click Create Token
- Configure the token:
- Name — Descriptive name (e.g., "CI/CD Pipeline" or "Export Automation")
- Organization — Select which organization this token applies to (if you belong to multiple)
- Expiration — Choose token lifetime:
- 30d — 30 days
- 90d — 90 days
- 1y — 1 year
- never — No expiration
- Permissions — Select scopes using the permission grid
- Click Create
The full token value is shown only once after creation. Copy and store it securely -- you cannot retrieve it later.
Permission Scopes
Tokens use a fine-grained permission grid. The system currently enforces these scopes:
| Scope | Status | Description |
|---|---|---|
games:read | Soon | List and view games, versions, variants |
games:write | Soon | Create, update, and delete games |
games:delete | Soon | Delete games |
versions:read | Soon | View game versions |
versions:write | ✅ Enforced | Create and update versions |
assets:read | Soon | List and download assets |
assets:write | ✅ Enforced | Upload and manage assets |
exports:read | Soon | View export history and status |
exports:create | Soon | Create new exports |
Note: Scopes marked "Soon" are displayed in the UI but not yet enforced by the API. Currently, only
versions:writeandassets:writehave backend validation.
Scope Recommendations
- Version management:
versions:write - Asset automation:
assets:write - Full access: Select all scopes for maximum flexibility
Managing Tokens
Viewing Tokens
The token list shows all active tokens for your organization:
- Name and creation date
- Last used timestamp
- Scopes assigned to the token
- Token prefix (first 8 characters) for identification
Revoking a Token
- Find the token in the list
- Click the Delete button
- Confirm the revocation
Revoked tokens stop working immediately. Any API requests using the token will return 401 Unauthorized.
Security Best Practices
- Least privilege -- Grant only the scopes your integration needs
- Rotate regularly -- Replace tokens every 90 days
- Use descriptive names -- Include the purpose and owner in the token name
- Never commit tokens -- Keep tokens out of source code and version control
- Monitor usage -- Check the "last used" timestamp to identify stale tokens
- One token per integration -- Use separate tokens for different services
If you suspect a token has been compromised, revoke it immediately from the API Tokens page and create a new one.
Using Tokens in API Requests
Pass the token in the Authorization header:
curl -H "Authorization: Bearer pl_xxxxxxxx..." \
https://api.playablelabs.studio/api/gamesAll PlayableLabs API tokens start with the
pl_prefix. If your token doesn't have this prefix, it may be invalid or from an older version.
See the Authentication guide for detailed examples.
Next Steps
- Authentication guide -- Learn about JWT and token-based auth
- API overview -- Explore available endpoints