API Keys
API tokens allow coding agents to authenticate to the PREQSTATION REST API and perform task operations.
Token Format
- Prefix:
preq_ - Storage: SHA-256 hashed in database (never stored in plaintext)
- Length: 32 random characters
- Example:
preq_a7f3c9e2b1d4f6a8c0e2b4d6f8a0c2e4
Issuing a Token
- Navigate to Settings > API Keys
- Click + New Token
- Enter a descriptive name (e.g.,
local-dev,claude-code-prod,codex-testing) - (Optional) Set an expiration date
- Click Create
- Copy the token immediately (shown only once)
Using a Token
Configure your agent’s environment:
export PREQSTATION_API_URL=https://your-domain.comexport PREQSTATION_TOKEN=preq_xxxxxxxxxxxxxOr in your MCP configuration:
{ "mcpServers": { "preqstation": { "command": "node", "args": ["/ABSOLUTE/PATH/TO/preqstation-skill/scripts/preqstation-mcp-server.mjs"], "env": { "PREQSTATION_API_URL": "https://your-domain.com", "PREQSTATION_TOKEN": "preq_xxxxxxxxxxxxx" } } }}Revoking a Token
- Navigate to Settings > API Keys
- Find the token you want to revoke
- Click the Delete icon
- Confirm
Revoked tokens are immediately invalid. Any agent using a revoked token will receive 401 Unauthorized.
Token Rotation
Best practice: rotate tokens periodically.
- Issue a new token with the new name
- Update your agent configuration with the new token
- Revoke the old token
Scoping
All tokens are scoped to your owner account. Tokens can:
- Read and create tasks
- Update task status and results
- List projects and project settings
- Create work logs
Tokens cannot:
- Access other user accounts (single-owner system)
- Modify user settings or issue new tokens
- Access audit logs or security events
Security Notes
- Never commit tokens to version control — use environment variables or secrets management
- Rotate tokens before sharing credentials — if a token is exposed, revoke and issue a new one
- Token prefix (
preq_) helps identify tokens in logs and error messages - Expiration (optional) enforces automatic token invalidation after a set time