API Tokens
API tokens authenticate requests to the public REST API (/api/v1/*). They are separate from your login credentials.
Token format
qh_<prefix>_<secret>
qh_— fixed prefix identifying QA Hub tokens<prefix>— a short random string stored in plaintext (used for display and revocation)<secret>— a longer random string hashed with bcrypt (never stored or retrievable)
Create a token
- Go to Settings → Developer → API Tokens.
- Click Create token.
- Enter a name and select scopes (
read,write, or both). - Click Create — the full token is displayed once only.
- Copy it immediately and store it securely.
qh_a1b2c3_e7f8g9h0i1j2k3l4m5n6o7p8q9r0s1t2u3v4
↑ ↑
prefix secret (copy this entire string)
Scopes
| Scope | Grants |
|---|---|
read | GET endpoints — list and retrieve any resource |
write | POST, PATCH, DELETE — create, update, and delete resources |
Using a token
Include the full token in the Authorization header:
curl https://your-qahub.com/api/v1/cases \
-H "Authorization: Bearer qh_a1b2c3_e7f8g9..."
Storing tokens safely
- Never commit tokens to source control
- Store in CI/CD environment variables (GitHub Actions secrets, GitLab CI variables, etc.)
- Use a secrets manager (Vault, AWS Secrets Manager, 1Password) in production
# GitHub Actions example
- name: Upload test results
run: |
qa-hub upload --format playwright results.json
env:
QA_HUB_TOKEN: ${{ secrets.QA_HUB_TOKEN }}
QA_HUB_URL: https://your-qahub.com
Revoke a token
Go to Settings → Developer → API Tokens, find the token by name or prefix, and click Revoke. Revocation is immediate — the token stops working on the next request.
View existing tokens
The tokens list shows name, prefix, scopes, and creation date. The secret is never shown again after creation — if you lose it, revoke the old token and create a new one.
Token limits
There is no hard limit on the number of tokens per workspace. Create separate tokens per service for easier auditing and targeted revocation.