HourdiniDocs

Personal access tokens

How to mint, use, and revoke the tokens that power the CLI, AI agents, and API.

A Personal Access Token (PAT) is a long string that proves you're you, when you're connecting Hourdini to something that isn't a web browser: the CLI, an AI agent, or your own scripts.

Minting a token

Sign in to the web app and open /cli/connect. Click Generate token, give it a name (e.g. "MacBook CLI", "Cursor on work laptop"), and copy the value.

Screenshot pending
The Generate token page with a freshly created token shown once.

Tokens show only once

We display the token a single time, right after you generate it. We store only a hashed version, so we can't show it to you again later. Copy it now and paste it into the place that needs it.

What a token can do

A token has the same permissions you do in the organization it was minted under. If you're an Owner, the token can do everything an Owner can do. If you're a Member, the token can do everything a Member can do.

Tokens cannot be used to mint other tokens, change your password, or sign in to the web app.

What a token is bound to

A token is bound to:

  • One user. You.
  • One organization. The one that was active when you minted the token.

This second part is the gotcha worth knowing about.

The org-scoping gotcha

Switching your active organization in the web app does not switch what your existing tokens point at. A token minted while "Acme Studios" was active will keep talking to Acme Studios, even after you switch the web app to "Personal".

If you want to use the CLI or an agent against a different org:

  1. Switch the web app to that org.
  2. Open /cli/connect again.
  3. Generate a new token.
  4. Update the CLI / agent config to use the new token.

You can have as many tokens as you need. Each one can point at a different org.

Listing your tokens

Open Settings → Tokens. You'll see every token you've minted: the name you gave it, the org it points at, when it was created, and when it was last used.

Screenshot pending
The Settings → Tokens list with three tokens of different ages.

Revoking a token

Click Revoke next to the token. Revocation is immediate:

  • The next request from that token gets rejected.
  • An AI agent will notice the next time it tries to call a tool.
  • A CLI invocation will print a "not authenticated" error.

There's no "30-day grace period". Revoke a token the moment you suspect it's been exposed (laptop lost, accidentally pasted into a shared doc, etc.).

When tokens stop working on their own

Tokens stop working automatically if:

  • Your membership in their org is removed. This is a security feature; losing a job at an agency immediately disconnects your agent from their data.
  • The organization is deleted. The token is pinned to that org, so there is no remaining workspace for it to access.

Best practices

  • One token per device or app. Don't share one token across your laptop, your work machine, and Claude Desktop. Mint three. If your laptop is stolen, you revoke one without breaking the other two.
  • Name them helpfully. "MacBook CLI", "Claude Desktop on home iMac", "automation scripts". You'll thank yourself later.
  • Revoke generously. A token you haven't used in months is a liability with no benefit.

Time periods

What "this week", "last month", and "2026-Q2" actually mean.

Keyboard shortcuts

Move around Hourdini without reaching for the mouse.

On this page

Minting a tokenWhat a token can doWhat a token is bound toThe org-scoping gotchaListing your tokensRevoking a tokenWhen tokens stop working on their ownBest practices