Skip to content

ApiToken

Source: src/Axiom/ApiToken.ts

An Axiom API token — a scoped bearer token used to authenticate API requests (ingest, query, admin). Capabilities are pinned at creation time; changing any field triggers a replacement because Axiom does not expose an update endpoint.

The raw token value is returned only by create. After that, Axiom never echoes it back, so it is captured into output.token (as a {@link Redacted}) on initial create and persisted in resource state. Treat resource state as sensitive — anyone with read access can recover the token. Pair with a secret store for downstream consumption.

Creating an API Token

Section titled “Creating an API Token”

Ingest-only token scoped to one dataset

const ingest = yield* Axiom.ApiToken("ingest", {
  name: "prod-ingest",
  description: "OTEL collector ingest",
  datasetCapabilities: {
    "my-app-traces": { ingest: ["create"] },
  },
});

Read-only query token

yield* Axiom.ApiToken("query", {
  name: "grafana-reader",
  datasetCapabilities: {
    "my-app-traces": { query: ["read"] },
    "my-app-logs":   { query: ["read"] },
  },
});

Consuming the Token

Section titled “Consuming the Token”
const secret = yield* Cloudflare.Secret("axiom-token", {
  value: ingest.token,
});