Skip to content

User Access Tokens

Scion supports user access tokens (UATs) for programmatic access to the Hub API and for authenticating CLI operations when browser-based OAuth is not feasible — for example in CI/CD pipelines or automation scripts.

A user access token is a scoped, revocable bearer token linked to your user account, used for non-interactive authentication. Unlike a full OAuth session, a UAT is scoped to a single project and carries a specific set of action permissions, so a token minted for CI can do only what CI needs.

Note on legacy keys: the legacy sk_live_* API keys have been completely removed. All users must migrate to scion_pat_* tokens.

Every token is scoped to a single project and to an explicit list of scopes (action permissions). Available scopes:

ScopeGrants
project:readRead project metadata
agent:createCreate agents
agent:readRead agent status/metadata
agent:listList agents
agent:startStart/restart agents
agent:stopStop agents
agent:deleteDelete agents
agent:messageSend messages to agents
agent:attachAttach to agent sessions
agent:dispatchDispatch agents (create + start)
agent:manageAll agent scopes (convenience alias)

Generate a new token with the Scion CLI:

Terminal window
scion hub token create \
--project my-project \
--name "github-actions" \
--scopes agent:dispatch,agent:read,agent:stop \
--expires 90d
  • --project (required) — the project name or ID the token is scoped to.
  • --name (required) — a human-readable label.
  • --scopes (required) — a comma-separated list of the scopes above.
  • --expires — a duration (30d, 90d, 1y) or an RFC 3339 date (2026-12-31T00:00:00Z). Defaults to 90 days; maximum 1 year.

The command prints the token value once. Store it securely — it cannot be retrieved later.

Authenticate by setting the token in the SCION_HUB_TOKEN environment variable:

Terminal window
export SCION_HUB_TOKEN="scion_pat_..."
scion list --project my-project

When this variable is set, the CLI bypasses the browser-based OAuth flow and uses the token for all communication with the Hub.

It is crucial to distinguish how users authenticate with the Hub from how agents authenticate with the Hub. Scion uses two separate environment variables to enforce strict privilege boundaries:

  • Purpose: Authenticates a human user or a CI/CD pipeline.
  • Scope: Grants access based on the user’s permissions and the specific scopes assigned to the token.
  • Usage: Used by the Scion CLI or external scripts calling the Hub API.
  • Purpose: Authenticates an agent running within a container.
  • Scope: Carries a Hub-issued JWT scoped specifically to that agent. It is short-lived, auto-injected by the Runtime Broker, and grants only the specific permissions that agent needs to function (e.g., reporting status, reading its own secrets).
  • Usage: Automatically used by the sciontool binary running inside the agent.

Tokens can be managed either via the CLI or the Web UI.

The easiest way to administer your tokens is through the Web UI management interface available in your user profile. It lets you create, view, and revoke tokens visually, and configure action permissions and project-level scopes.

List your tokens (name, ID, visible prefix, status, expiry, and scopes):

Terminal window
scion hub token list

Revoke a token — it stops working for authentication but remains visible in listings as revoked:

Terminal window
scion hub token revoke <token-id>

Delete a token entirely (rather than leaving it in listings as revoked):

Terminal window
scion hub token delete <token-id>