Authorization tokens

Authorization tokens can be created by users and administrators to provide fine-grained access control to resources (channels) or scopes when using the API or CLI. These tokens can be used in place of username-based authentication, particularly for third-party applications or automation tools.

This topic provides guidance on the following actions:

• Understanding tokens

• Understanding scopes

• Listing the available authorization scopes

• Listing the user authorization tokens

• Create a new user authorization token

• Removing a user authorization token

Understanding tokens

Scope-based

Scope-based tokens give the token holder permission to take specific actions. It is possible to create private tokens with a specific set of scopes.

Resource-based

Resource-based tokens provide access to specific resources. Channel group permissions granted by the token will determine what actions the user is allowed to take.

Understanding scopes

In our model, scopes are represented as a concatenated string, like so:

Resource:Action

Note

Some features in the table below may contain “(by user with manage permissions)”, like in the feature associated with channel:edit in the third row down, for example. This means the token has a role with a corresponding permission level (in this case, manage) for a specific resource (in this case, channel).

Resource	Action	Scope (Resource + Action)	Feature	Default Roles
channel	create	channel:create	Create a channel (at least by authenticated user)	author, admin
	view	channel:view	View a channel (public)	everyone, author, admin
	edit	channel:edit	Edit a channel information (by user with manage permissions)	admin
	delete	channel:delete	Delete a channel (by user with manage permission)	admin
	history	channel:history	See channel history (by user with manage permissions)	admin
	view-artifacts	channel:view-artifacts	View channel artifacts (public)	everyone, author, admin
channel.default-channel	edit	channel.default-channel:edit	Edit default channel (user with manage permissions)	admin
channel.group	edit	channel.group:edit	Edit channel group (user with manage permissions)	admin
channel.mirror	view	channel.mirror:view	View channel mirror configuration	admin-only
	edit	channel.mirror:edit	Edit channel mirror configuration	admin-only
subchannel	create	subchannel:create	Create subchannel (user with write permission) to the parent channel	admin
	view	subchannel:view	View subchannel (public)	everyone, author, admin
	edit	subchannel:edit	Edit subchannel information (user with manage permission)	admin
	delete	subchannel:delete	Edit subchannel information (user with manage permission)	admin
	history	subchannel:history	View subchannel history (user with manage permission)	admin
	view-artifacts	subchannel:view-artifacts	View subchannel artifacts (public)	everyone, author, admin
subchannel.group	edit	subchannel.group:edit	View subchannel groups (user with manage permissions)	admin*
subchannel.mirror	view	subchannel.mirror:view	View subchannel mirror configuration	admin-only
	edit	subchannel.mirror:edit	Edit subchannel mirror configuration	admin-only
artifact	create	artifact:create	Upload artifact (user with write permission to parent resource which is channel or subchannel)	author, admin
	view	artifact:view	View artifact (public)	everyone author, admin
	edit	artifact:edit	Edit artifact (user with manage permission to parent resource)	author, admin
	download	artifact:download	Download artifact (public)	everyone author, admin
	delete	artifact:delete	Delete artifact (user with manage permission to parent resource)	author, admin
cve	view	cve:view	View CVE	admin-only
role	view	role:view	View custom roles	admin-only
	edit	role:edit	Edit custom roles	admin-only
system.license	view, edit	system.license:view system.license:edit	View / Edit licenses
system.blobs ?	delete	system.blobs:delete	Delete orphan blobs
system			View system history
system			View system stats

Italicized items in table are under development.

Listing the available authorization scopes

Via the API:

GET /api/system/tokens

Via the CLI:

conda repo auth --list-scopes

Listing the user authorization tokens

Via the API:

GET /api/account/token

Via the CLI:

conda repo auth --list

Create a new user authorization token

Via the API:

POST /api/account/tokens

Via the CLI:

conda repo auth --create -n <NAME>

Removing a user authorization token

Via the API:

DELETE /api/account/tokens/<TOKEN_ID>

Via the CLI:

conda repo auth --remove <TOKEN_ID>