Skip to main content

How to generate an access token

Access tokens authenticate requests to ArborXR APIs. They are required for integrations and automations that call our MDM and Insights API.

This feature is available on Essential, Classroom Pro, and Enterprise plans.

Who can create tokens

  • Organization Owners and Admins
  • Custom roles that include the Create Access Tokens permission

Where you can use them

  • MDM API — REST endpoints for managing devices, apps, groups, policies, etc.
  • Insights API — analytics & telemetry access.
  • ArborXR CLI — command‑line workflows built on the Public API (upload apps/files, manage fleets).

Important: Please continue using MDM API v2 tokens for CLI operations. Compatibility for MDM API v3 tokens is scheduled for release in mid-March 2026.

Generate a token

  1. In the ArborXR Portal, navigate to Settings then select Access Tokens.
  2. Select Access Token.
  3. Click Create Access Token in the top right.
  4. Select the desired scope from the dropdown. Options include:
    • MDM API v3
    • MDM API v2 (Legacy)
    • Insights API
  5. Enter a title then click Create.
  6. Copy the token value before closing.

Treat tokens like passwords. Rotate periodically and delete tokens that are no longer needed.

Insights API - Paid Feature

The Insights API scope is a paid feature. If you need access to the Insights API for BI integrations (Power BI, Tableau, etc.), please contact your ArborXR point of contact or support@arborxr.com to discuss pricing. This option will not display in your token creation dialog unless the feature is enabled for your organization.

For more information, see the ArborXR Insights API Setup Guide.

Use the token

Most HTTP clients use a Bearer header:

export ARBORXR_BASE_URL="https://api.xrdm.app"  # or production
export ARBORXR_API_KEY="<your_access_token>"

curl -s -H "Authorization: Bearer $ARBORXR_API_KEY" \
     -H "Accept: application/json" \
     "$ARBORXR_BASE_URL/api/v3/apps"

Node.js example

const res = await fetch(`${process.env.ARBORXR_BASE_URL}/api/v3/apps`, {
  headers: { Authorization: `Bearer ${process.env.ARBORXR_API_KEY}` }
});
console.log(await res.json());

Best practices

  • Least privilege: use role‑based permissions; prefer service accounts for automations.
  • Secret storage: keep tokens in a secrets manager; never commit to source control.
  • Rotation: set reminders to rotate tokens; update CI/CD and servers accordingly.
  • Revocation: immediately delete tokens if exposed or no longer needed.

Cross‑reference

For a high‑level overview and plan/permission details, see Access Tokens — ArborXR Help Center.