Beta

API Keys That Scale Without Security Headaches

Generate, rotate, and revoke machine tokens for service-to-service authentication. Scoped permissions, usage tracking, and zero-downtime rotation included.

Read documentationView pricing

Machine tokens

Issue API keys for your users without building token infrastructure

Create API tokens for your SaaS users, backend services, and third-party integrations. Each token gets scoped permissions, usage tracking, and can be rotated without breaking existing integrations.

Capabilities

Everything you need for machine authentication

Token generation

Create tokens with unique identifiers and optional expiration dates. Tokens generate with cryptographically secure random values and store only hashed versions.

Scoped permissions

Assign specific permissions to each token. A billing service token gets read access to invoices, while a reporting token gets read-only access to analytics.

Zero-downtime rotation

Rotate tokens without breaking integrations. Generate a new token, update your service, then revoke the old one. Overlapping validity periods prevent outages.

IP allowlisting

Restrict token usage to specific IP addresses or CIDR ranges. Tokens rejected from unauthorized IPs before permission checks run.

Usage tracking

See request counts and last-used timestamps for each token. Identify inactive tokens that can be safely revoked and track which integrations are most active.

Labels and metadata

Attach environment labels, service names, and custom metadata to tokens. Filter and search tokens by production, staging, or integration type.

Expiration policies

Set expiration dates on tokens for automatic invalidation. Receive webhook notifications before tokens expire to trigger rotation workflows.

Rate limiting per token

Configure request limits per token independent of service-level limits. A partner integration token can have different rate limits than internal services.

< 5ms
Token validation

Authentication check latency

SHA-256
Token hashing

Secure storage of token secrets

Unlimited
Tokens per project

No artificial limits on token count

Why it matters

API credentials without the infrastructure burden

Keep API keys out of your codebase

Hard-coded credentials in config files and environment variables are security risks. When a key leaks, you scramble to rotate it across every service that uses it. Conjoin Auth Machine Tokens gives you a central place to manage credentials with instant revocation.
In practice

Generate a token for your payment service. Store the token ID in your config; the secret stays in Conjoin. When you need to rotate, generate a new token, update the config, and revoke the old one. No coordinated deployments across multiple services.

Know which integration uses which token

API keys without metadata become mysteries. Three months later, you find an old key with no way to identify which user or service owns it. Conjoin Auth Machine Tokens tracks creation date, last usage, and lets you attach labels like user name, service name, and environment.
In practice

Label each token with its purpose: billing-service-prod, analytics-worker-staging, partner-webhook-acme. Filter tokens by environment in the console. See last-used timestamps and request counts to identify tokens that can be safely revoked.

Scope tokens to exactly what they need

All-or-nothing API keys are dangerous. A compromised read-only token should not grant write access. Conjoin Machine Tokens lets you assign specific permissions per token, following the principle of least privilege.
In practice

Your reporting dashboard token gets read access to analytics endpoints only. Your billing service token can create invoices but cannot delete users. If a token leaks, the blast radius stays contained to its assigned permissions.

Built for Your Workflow

Ship faster with solutions designed for real-world needs

Challenge

No visibility into which API keys are active or unused

How Conjoin solves this

Create tokens with descriptive names, environment labels, and owner metadata. Query request counts and last-used timestamps to identify active integrations and stale credentials that can be safely revoked.

Impact

Maintain a clean token inventory with full visibility into which services use which credentials.

Challenge

Rotating credentials requires coordinated deployments

How Conjoin solves this

Rotate tokens with configurable grace periods where both old and new tokens remain valid. Update services at your pace, then revoke the old token when the transition completes.

Impact

Rotate credentials without coordinating simultaneous deployments across services.

Challenge

Old API keys accumulate without a way to identify unused ones

How Conjoin solves this

Filter tokens by last-used date to find stale credentials. Query request counts to identify which tokens are actively used and which have not been called in months.

Impact

Audit and clean up unused API keys without guessing which ones are still needed.

Challenge

Third-party integrations share the same permissions as internal services

How Conjoin solves this

Create tokens with restricted scopes, IP allowlists, and custom rate limits for partner integrations. Partners access only the endpoints they need without visibility into internal APIs.

Impact

Onboard partners with least-privilege tokens that contain blast radius if compromised.

Ship your application today

Start building with Conjoin today. Free tier includes everything you need to prototype and launch. Scale when you're ready.

Start BuildingRead Documentation