API Key Management
API keys authenticate programmatic access to the Interlynk platform β from CI/CD pipelines, the pylynk CLI, and direct API calls. Interlynk supports two token types: user tokens (tied to an individual) and service tokens (tied to an organization).
Token Types
Bound to
Individual user account
Organization
Permissions
Inherits user's role
Assigned a specific role at creation
Creator tracking
N/A
Records who created it (creator_id)
Lifecycle
Tied to user β invalidated when user is removed
Outlives the creator β persists even if the creator leaves the organization
Visibility
Visible only to the owning user
Admins see all; non-admins see only tokens they created
Use case
Personal CLI/API access
CI/CD pipelines, automation
Prefix
lynk_live_*
lynk_service_*
Limit
No hard limit
100 per organization
Token Creation
When to Create Tokens
User tokens: For individual developers or security engineers interacting with the API or CLI during local development.
Service tokens: For CI/CD pipelines, automated SBOM uploads, scheduled jobs, or any non-interactive access.
Required Permissions
Creating user tokens requires the
manage_api_tokenspermission.Creating service tokens requires the
manage_api_tokenspermission. Any user with this permission can create service tokens and select any role available in the organization.
Token Scopes
User tokens inherit the full permission set of the user's current organization role.
Service tokens are assigned a specific organization role at creation time. The creator selects the role during creation β any role in the organization can be chosen regardless of the creator's own role. Choose the most restrictive role that satisfies the token's purpose.
Expiration Best Practices
Development
30 days
CI/CD pipelines
90 days
Production automation
90β180 days
Temporary/one-off
24 hours or 7 days
Tokens without an expiration date remain valid until explicitly revoked. Avoid creating non-expiring tokens for CI/CD use.
Security Considerations
The raw token value is displayed only once at creation time. It cannot be retrieved afterward. Copy it immediately and store it in a secrets manager.
Tokens are stored as HMAC-SHA256 digests. Interlynk cannot recover a lost token.
All token usage is tracked with a
last_used_attimestamp.Revoked or expired tokens are rejected immediately on any API call.
Creating a User Token (UI)
Navigate to Settings > Personal > Security Tokens.
Click New Token.
Enter a descriptive Token Name (4β128 characters). Use a name that identifies the purpose, such as
ci-sbom-uploadorlocal-dev.Optionally set an Expiration Date. Uncheck "No Expiration" to enable the date picker.
Click Create.
Copy the displayed token immediately. It will not be shown again.
Creating a Service Token (UI)
Navigate to Settings > Organization > Service Tokens.
Click New Service Token.
Enter a Token Name.
Select a Role to assign to the token. This determines what the token can access.
Optionally set an Expiration Date.
Click Create.
Copy the displayed token immediately.
Token Deletion
Revoking Tokens
Revoking a token invalidates it immediately. Any API call or CLI command using a revoked token will receive a 401 Unauthorized response.
To revoke a user token:
Navigate to Settings > Personal > Security Tokens.
Click the action menu on the token row.
Select Revoke.
To delete a service token:
Navigate to Settings > Organization > Service Tokens.
Click the action menu on the token row.
Select Delete.
Impact Analysis
Before revoking a token, consider:
CI/CD pipelines
Any pipeline using the token will fail on the next run
Scheduled jobs
Automated SBOM uploads or downloads will stop
Integrations
Any webhook or external system authenticating with the token will lose access
Other users
Service tokens may be shared across teams β verify no other systems depend on it
Check the token's last_used_at timestamp to determine if it is actively in use before revoking.
Service Tokens
User Token vs. Service Token
Use service tokens for any non-interactive, system-to-system access. Service tokens are bound to the organization, not the individual β they outlive the creator. If the team member who created a service token leaves the organization, the token continues to function with its assigned role.
Each service token tracks who created it. This enables:
Admins: Full visibility β admins see all service tokens in the organization regardless of who created them, and can revoke or delete any token.
Non-admins: Scoped visibility β non-admin users see only the service tokens they personally created, and can only manage their own.
Use user tokens only for personal, interactive use (local CLI sessions, ad hoc API calls).
CI/CD Usage
Service tokens are the recommended authentication method for CI/CD pipelines:
Least Privilege Recommendations
SBOM upload only
Viewer (with upload permission) or custom upload-only role
SBOM upload + vulnerability review
Operator
Full automation (policy management, user management)
Admin (use sparingly)
Read-only dashboards / reporting
Viewer
Create a custom role with only the permissions required by the automation. Assign that role to the service token.
Token Usage
curl Example
Upload an SBOM using the Interlynk GraphQL API:
Successful response:
Error response (invalid token):
pylynk CLI Examples
Set the API key via environment variable (recommended):
Upload an SBOM:
Upload to a specific environment:
Download an enhanced SBOM:
Download by version ID:
List products:
List vulnerabilities:
Best Practices
Never Hardcode Tokens
Store tokens in a secrets manager or CI/CD secret store. Never commit tokens to source control.
Rotation Strategy
Create a new token with the same role and permissions.
Update all systems (CI/CD pipelines, scripts, secrets managers) to use the new token.
Verify the new token is functioning by checking
last_used_at.Revoke the old token.
Rotate tokens on a regular schedule (every 90 days for production service tokens) and immediately if a token may have been exposed.
Incident Response β Token Leak
If a token is leaked (committed to a public repo, logged in plaintext, exposed in a support ticket):
Revoke immediately. Navigate to the token management page and revoke or delete the token.
Audit usage. Check the token's
last_used_atto determine if it was used after the leak.Create a replacement. Issue a new token with the same role.
Review scope. If the leaked token had admin permissions, audit recent changes to the organization for unauthorized modifications.
Rotate related secrets. If the token was stored alongside other secrets, rotate those as well.
Common Misconfigurations
Token passed via --token flag in CI logs
Token visible in build logs
Use INTERLYNK_SECURITY_TOKEN env var instead
Service token with Admin role
Excessive permissions for automation
Create a custom role with minimum required permissions
No expiration set on service tokens
Tokens remain valid indefinitely
Set 90-day expiration and rotate proactively
Token created by a user who left
Token still works but the creator is no longer in the org
Admins retain full visibility and can revoke orphaned service tokens; audit during offboarding
Non-admin cannot find a service token
Non-admins only see tokens they created
Ask an admin to locate and manage the token, or re-create it under your own account
Wrong API URL
401 or connection errors
Verify INTERLYNK_API_URL is set to https://api.interlynk.io/lynkapi (or omit to use default)
Last updated