Beta ProductSQL Proxy is currently in beta. API endpoints may change.
- Principal Tokens - Tokens for users and service principals to authenticate to the proxy
- Proxy Manager Tokens - Admin tokens for managing the proxy configuration
The full token is only returned at creation time. Store it securely - it cannot be retrieved later.
Endpoints
All token endpoints follow the same pattern:
| Principal Type | Base Path |
|---|
| Users | /admin/users/{user_id}/tokens |
| Service Principals | /admin/service-principals/{client_id}/tokens |
| Proxy Manager | /admin/proxy-manager/tokens |
| Operation | Method | Path |
|---|
| List tokens | GET | {base_path} |
| Create token | POST | {base_path} |
| Get token | GET | {base_path}/{token_id} |
| Revoke token | DELETE | {base_path}/{token_id} |
| Revoke all tokens | DELETE | {base_path} (users and service principals only) |
List Tokens
Returns all tokens for a principal. Query parameter include_revoked=true includes revoked tokens.
curl -X GET \
-H "Authorization: Bearer <proxy-manager-token>" \
"https://sqlproxy.your-company.datafold.com/admin/users/{user_id}/tokens?include_revoked=false"
Create Token
curl -X POST \
-H "Authorization: Bearer <proxy-manager-token>" \
-H "Content-Type: application/json" \
-d '{
"label": "dbt production",
"expires_in_days": 365
}' \
https://sqlproxy.your-company.datafold.com/admin/users/{user_id}/tokens
Request Body
| Field | Type | Required | Description |
|---|
label | string | No | Token label (default: “API created”) |
expires_in_days | integer | No | Token expiration in days. null for no expiration. |
Revoke Token
curl -X DELETE \
-H "Authorization: Bearer <proxy-manager-token>" \
-H "Content-Type: application/json" \
-d '{"reason": "Rotating credentials"}' \
https://sqlproxy.your-company.datafold.com/admin/users/{user_id}/tokens/{token_id}
Request Body (Optional)
| Field | Type | Required | Description |
|---|
reason | string | No | Reason for revocation |
Revoke All Tokens
Revokes all active tokens for a user or service principal. Not available for proxy manager tokens.
curl -X DELETE \
-H "Authorization: Bearer <proxy-manager-token>" \
-H "Content-Type: application/json" \
-d '{"reason": "User offboarding"}' \
https://sqlproxy.your-company.datafold.com/admin/users/{user_id}/tokens
Token Response Fields
| Field | Type | Description |
|---|
id | integer | Unique token identifier |
prefix | string | Token prefix for identification (safe to log) |
token_type | string | principal or proxy_manager |
label | string | User-defined label |
status | string | active, expired, or revoked |
use_count | integer | Number of times the token has been used |
created_at | string | ISO 8601 timestamp |
expires_at | string | ISO 8601 timestamp, or null if no expiration |
last_used_at | string | ISO 8601 timestamp, or null if never used |
revoked_at | string | Only present for revoked tokens |
revoked_reason | string | Only present for revoked tokens |
