Workspace Tokens

Outcome

You will know when a workspace token is still relevant, when the account sign-in flow has replaced it, and how to generate, rotate, or revoke a token safely when a workflow asks for one.

What This Page Covers

Workspace tokens are still customer-visible in some workflows, but they are no longer the main setup story everywhere. Most current TMXIO connection flows use a normal account sign-in or an OAuth-style authorization that hands the credential off without exposing a raw token. Use the product or plugin-specific docs first, then return here if a workflow explicitly asks for a workspace token.

Which Flow Do You Need

Modern account flow

The current default. When a plugin, integration, or external tool asks to connect to TMXIO, it usually opens a sign-in window or an authorization screen. You approve access for the workspace and the integration receives a credential without you copying anything by hand.

Use this path whenever the integration offers it. There is no token to store on your side, and access can be revoked from the workspace later without rotating anything in the integration.

Legacy workspace token

A small number of workflows still require a workspace token, typically older plugin versions, scripted integrations, or one-off connections that pre-date the account flow. In those cases you generate a token from the workspace, paste it into the tool that needs it, and treat the value as a sensitive secret.

If the workflow you are following only mentions a workspace token, check whether a newer version of the plugin or integration offers the account flow first. Switching is almost always safer.

Treat tokens like passwords

A workspace token grants access at the workspace level. Do not paste tokens into chat, screenshots, support tickets, or shared documents. If a token has been exposed even briefly, revoke it from the workspace and generate a new one before continuing.

Generate a Token

1. Sign in to TMXIO and open the workspace where the integration will connect.

2. Navigate to the workspace tokens area in workspace settings.

3. Create a new token. Give it a descriptive label that identifies where it will be used, for example the plugin name or the script that will hold it.

4. Copy the token value once and paste it directly into the destination tool. The full value is only visible at creation time.

5. Confirm the integration connects successfully, then close the token panel.

Rotate a Token

Rotate a token on a predictable cadence and any time you suspect it may have been exposed. Generating a replacement first, then deleting the old one, avoids a short outage in the integration.

1. Generate a new token with the same label scheme so you can track which integration uses it.

2. Update the integration to use the new value, then verify it still connects.

3. Delete the previous token from the workspace.

Revoke a Token

If a token is no longer needed, or if you believe it has been exposed, revoke it immediately from the workspace tokens panel. Revocation takes effect right away, and any integration that was using the token will fail until it is reconfigured.

Good Practice

• Copy tokens only from the intended workspace, never from screenshots or copy-paste history
• Avoid reusing older setup notes that may refer to outdated connection steps
• Rotate tokens on a predictable schedule rather than waiting for an incident
• Prefer the account sign-in flow whenever the integration offers it
• Keep token labels descriptive so an unused token is easy to identify and clean up