Tokens & Authentication
The Orchestrator uses token-based authentication for API access, agent connections, and pipeline triggers.
🔓 Authentication Providers
Section titled “🔓 Authentication Providers”The Orchestrator supports multiple OAuth authentication providers. Users authenticate through a provider (e.g., GitHub, GitLab, or a custom OIDC provider) to access the web UI.
Multiple auth providers can be configured simultaneously, and users can link multiple providers to a single account.
🏷️ Token Types
Section titled “🏷️ Token Types”Personal Access Tokens (PAT)
Section titled “Personal Access Tokens (PAT)”PATs are user-scoped tokens for API access. Create them in Settings → Personal Access Tokens.
Click Create Token, enter a label, and select the scopes you need:
| Scope | Permission |
|---|---|
trigger | Trigger pipeline runs |
read | Read projects, runs, logs, artifacts |
pipeline:write | Create and modify pipeline files |
repo:write | Modify project settings and files |
secret:write | Create and delete secrets |
token:admin | Manage tokens |
org:admin | Manage organizations and members |
Organization Tokens
Section titled “Organization Tokens”Organization tokens work like PATs but are owned by the organization rather than a user. They use the same scopes and are managed in Organization Settings → Tokens.
Use these for shared integrations like CI bots or deployment automation that shouldn’t be tied to a personal account.
Agent Tokens
Section titled “Agent Tokens”Agent tokens authenticate agents connecting to the orchestrator. They have no scopes and simply identify and authorize the agent connection.
- Personal agent tokens: For agents running personal projects (Settings → Agent Tokens)
- Organization agent tokens: For agents running org projects (Organization Settings → Agent Tokens)
See Agents for details on connecting agents.
Trigger Tokens
Section titled “Trigger Tokens”Trigger tokens are per-repository tokens used to authorize external systems (webhooks, CI integrations) to trigger pipeline runs. They carry no scopes beyond the ability to trigger runs on that specific repository.
Manage them in Project Settings → Trigger Tokens.
🗂️ Managing Tokens
Section titled “🗂️ Managing Tokens”All token types can be created, updated (label/description), and deleted from their respective settings pages.
Token values are only shown once at creation time. Store them securely because you cannot retrieve the value after the creation dialog is closed.
For programmatic token management, see REST API.