If you are looking for information on how to use the api tokens via the API go to API General page.

PractiTest supports two types of API Tokens:

* We recommend using Personal API tokens for a secured process.*

To learn more about the differences please click here.

Personal API Tokens

What are Personal API Tokens?

The personal API token is a unique token given to a specific user and grants access ONLY to the areas this specific user is permitted on. It should be kept privately, like any other credentials. In case a user has more than one account - he will have a different Personal API Token for each account

To get a personal API Token, the account owner must enable it to the user through his account settings window as described in the Account Settings page.

Once the Personal API token is enabled for a user, he can find it in his user settings personal tab, as described in the Personal Settings

Account API Tokens

What are Account API Tokens?

API tokens grant access to read, create, update and delete data in PractiTest. Account API tokens grant this access to all the projects of your account. It should be kept privately, like any other credentials, but stronger since it controls all your accounts.
Only Account Administrator can see the API Token screen through the Account Settings.

What is the API Token name for?

Api Tokens have names so you can remember to who / what you gave access via the api tokens.
API Tokens that start with underscore are reserved for specific use / specific integration. Don’t use them unless it’s for a specific reason (followed by our instructions).

API Token

Best Practice using account tokens

In case you choose to work with account tokens although we recommend using PAT when possible, here are a few best practice tips.
Since you can create as many api_tokens as needed, rename them, disable and enable them, it is a best practice to give different api_tokens to different (code) purposes / business needs. Once you may have different business needs, or you’ll need to disable one of the functionality, it will be easier for your to just disable one API_Token at a time


Your API Tokens should be kept private, like any other credentials:

  • When possible, use Personal API Tokens and not Account API tokens to restrict the access to your data according to specific users and tasks.
  • Never send your API Token via an email
  • If you’re writing a script or program that accesses the API, do not pass the token in cleartext (use HTTPS exclusively)
  • Do not embed your token with your code if that code is visible to others. This is especially important with JavaScript, since JavaScript code is visible to anyone that has access to the page it’s running on.
  • Give specific API usage different API Tokens with an explicit name.
  • If you suspect that your API token has been compromised, or you’re not sure for what reason it is used – Delete, disable or regenerate it.