Skip to main content
The Aiven API uses token-based authentication. All API requests must include a valid authentication token in the Authorization header.

Authentication methods

Aiven supports three types of tokens:
  1. Session tokens: Created when you log in to the Aiven Console or CLI. Automatically revoked when you log out.
  2. Personal tokens: Created manually for API and CLI access. Can be configured with custom session durations and IP restrictions.
  3. Application tokens: Linked to application users for non-human access. Recommended for automated systems and integrations.

Creating a personal token

Using the Aiven Console

  1. Click User information in the top right
  2. Select Tokens
  3. Click Generate token
  4. Enter a description and set the session duration
  5. Click Generate token
  6. Copy the token and store it securely
You cannot view the token after closing the creation window. Store it in a secure location immediately.

Using the Aiven CLI

avn user access-token create \
  --description "My API token" \
  --max-age-seconds 86400

Using tokens in API requests

Include your token in the Authorization header with the aivenv1 prefix: 
Authorization: aivenv1 YOUR_TOKEN_HERE

Examples

curl -H "Authorization: aivenv1 YOUR_TOKEN" \
  https://api.aiven.io/v1/project

Token security best practices

Configure session durations based on your security requirements. Shorter durations limit the impact of token exposure but require more frequent rotation.
Limit token usage to trusted networks by specifying allowed IP address ranges when creating the token.
Implement a token rotation schedule to minimize security risks. Create a new token before revoking the old one to avoid service interruptions.
For non-human access like CI/CD pipelines, use application users instead of personal tokens. This provides better audit trails and access control.
Each user or system should have its own token. Sharing tokens makes it impossible to track actions and revoke access selectively.
  • Never commit tokens to version control
  • Use environment variables or secret management systems
  • Encrypt tokens at rest
  • Use vault services like AWS Secrets Manager or HashiCorp Vault

Authentication errors

Common authentication-related errors:
401 Unauthorized
error
The token is missing, invalid, or expired. Verify the token is correct and hasn’t been revoked.
403 Forbidden
error
The token is valid but doesn’t have permission to access the requested resource. Check your organization and project permissions.

Example error response

{
  "errors": [
    {
      "message": "Invalid token",
      "status": 401
    }
  ],
  "message": "Invalid token"
}

Application users and tokens

For automated systems and integrations, use application users:
  1. Create an application user in your organization
  2. Generate an application token
  3. Assign appropriate permissions to the application user
  4. Use the token in your automated systems
Application tokens provide better security and audit capabilities compared to personal tokens for non-human access.
Learn more about application users and authentication policies.

Build docs developers (and LLMs) love

Get started for freeTalk to us