We're excited to announce Personal Access Tokens (PATs), a new and improved authentication method for CVAT's API, SDK, and CLI. If you're building integrations, running automated scripts, or working with CVAT programmatically, this feature is designed to make your workflow more secure and convenient.
Why Personal Access Tokens?
Until now, authenticating with CVAT's API required using your username and password or legacy API keys. While functional, this approach had some limitations:
- Security risks: Sharing your password with multiple applications increases exposure if one gets compromised
- Limited control: No way to restrict what specific applications can do
- Manual management: Changing your password meant updating it everywhere
Personal Access Tokens solve these problems by giving you better control over API access.
What Are Personal Access Tokens?
Think of PATs as specialized keys for your CVAT account. Instead of using your password in scripts or third-party tools, you create a unique token for each use case. Each token can have:
- Custom permissions: Choose between read-only or read/write access
- Expiration dates: Set tokens to automatically expire after a specific time
- Individual management: Revoke any token instantly without affecting others
This means if you suspect a token has been compromised or simply don’t need a specific token anymore, you can revoke just that one token without disrupting your other integrations or changing your password.
Key Benefits
Enhanced Security: Use separate credentials for each application and eliminate the need to embed passwords in your code.
Better Control: Configure exactly what each token can do. Need a script that only reads data? Create a read-only token.
Easy Management: Create, edit, and revoke tokens anytime directly from your CVAT user settings.
Automatic Cleanup: Unused tokens are automatically removed after a period of inactivity, reducing security risks from forgotten credentials.
Getting Started
Creating your first Personal Access Token is simple:
- Navigate to your Profile page
- Go to the "Security" section
- Click the "+" button to create a new token
- Configure the name, expiration date, and permissions
- Save and securely store the token value (it's only shown once!)
Once you have your token, use it in your API requests with the Authorization header:
import requests
token = "your_token_value"
response = requests.get(
"https://app.cvat.ai/api/tasks",
headers={"Authorization": f"Bearer {token}"}
)Or, if you prefer working with the CLI, set the token as an environment variable:
export CVAT_ACCESS_TOKEN="your_token_value" && cvat-cli task lsImportant Security Reminders
- Store tokens securely: Treat them like passwords
- Set expiration dates: Always configure tokens to expire
- Use minimal permissions: Grant only the access level needed
- Revoke immediately: If you suspect a token is compromised, revoke it right away
- Never share tokens: Each user and application should have its own token
Learn More
Personal Access Tokens are available now for all CVAT users across Community, Online, and Enterprise editions. We recommend migrating your existing integrations to use PATs for improved security and control.
Ready to start using Personal Access Tokens?
Check out our complete documentation for detailed instructions on creating, managing, and using PATs in your CVAT workflows.
Have questions or feedback?
Join the conversation on our Discord or open an issue on our GitHub repository.
.svg)
.png)
.png)
.png)