Access Tokens
Access tokens are project-scoped API keys used to authenticate the Qualflare CLI, automated scripts, and integrations. Each token provides read and write access to the project's test data via the public API.
Accessing Tokens
Go to Project Settings → Access Tokens to manage your project's tokens.
Creating a Token
- Click New Token
- Enter a descriptive name (e.g., "GitHub Actions", "Local Dev")
- Optionally set an expiration date
- Click Create
- Copy the token immediately — it is only shown once after creation
WARNING
Access tokens are only displayed once at creation. Store it securely in a password manager or as an encrypted CI/CD secret immediately.
Token Fields
| Field | Description |
|---|---|
| Name | A label to identify the token's purpose |
| Created | Date the token was created |
| Expires | Expiration date (if set), or "Never" |
| Status | Active or Revoked |
| Last Used | Last time the token was used to make an API call |
Revoking a Token
Click the Revoke button next to a token to immediately invalidate it. Revoked tokens cannot be restored — create a new token if needed.
Using Tokens with the CLI
Pass the token as the QF_API_KEY environment variable or --api-key flag:
bash
# Environment variable (recommended for CI/CD)
export QF_API_KEY=your_token_here
qf collect results.xml
# Flag (avoid in CI — visible in logs)
qf collect results.xml --api-key your_token_hereSecurity Best Practices
- Use one token per environment — separate tokens for local dev, staging, and production
- Store in CI secrets — never commit tokens to source code
- Set expiration dates — rotate tokens regularly (e.g., every 90 days)
- Revoke unused tokens — clean up tokens for tools or environments no longer in use
- Use descriptive names — "GitHub Actions — Production" is clearer than "key1"