Skip to main content

How to generate an access token

Access tokens authenticate requests to ArborXR APIs. They are required for integrations and automations that call our Public API V2 and Insights API.

Who can create tokens

  • Organization Owners and Admins
  • Custom roles that include the Create Access Tokens permission
  • Available on Essential, Classroom Pro, and Enterprise plans.

Where you can use them

  • Public API V2 — REST endpoints for managing devices, apps, groups, policies, etc.
  • Insights API — analytics & telemetry access.
  • ArborXR CLI — command‑line workflows built on the Public API (upload apps/files, manage fleets).

Generate a token

  1. In the ArborXR Portal, navigate to the Access Tokens section of your organization settings.
  2. Click Create token, give it a descriptive name (e.g., CI/CD – Staging), and save.
  3. Copy the token value once and store it securely (password manager or secrets vault).

Treat tokens like passwords. Rotate periodically and delete tokens that are no longer needed.

Insights API - Paid Feature

The Insights API scope is a paid feature. If you need access to the Insights API for BI integrations (Power BI, Tableau, etc.), please contact your ArborXR point of contact or support@arborxr.com to discuss pricing. This option will not display in your token creation dialog unless the feature is enabled for your organization.

For more information, see the ArborXR Insights API Setup Guide.

Use the token

Most HTTP clients use a Bearer header:

export ARBORXR_BASE_URL="https://api.xrdm.app"  # or production
export ARBORXR_API_KEY="<your_access_token>"

curl -s -H "Authorization: Bearer $ARBORXR_API_KEY" \
     -H "Accept: application/json" \
     "$ARBORXR_BASE_URL/api/v2/apps"

Node.js example

const res = await fetch(`${process.env.ARBORXR_BASE_URL}/api/v2/apps`, {
  headers: { Authorization: `Bearer ${process.env.ARBORXR_API_KEY}` }
});
console.log(await res.json());

Best practices

  • Least privilege: use role‑based permissions; prefer service accounts for automations.
  • Secret storage: keep tokens in a secrets manager; never commit to source control.
  • Rotation: set reminders to rotate tokens; update CI/CD and servers accordingly.
  • Revocation: immediately delete tokens if exposed or no longer needed.

Cross‑reference

For a high‑level overview and plan/permission details, see Access Tokens — ArborXR Help Center.