If you’re interested please comment here and come join our “Contributors” community channel on our daily build server, where you can discuss questions with community members and the Mattermost core team. For technical advice or questions, please join our “Developers” community channel.
New contributors please see our Developer’s Guide, specifically for machine setup and for developer workflow.
Notes: Jira ticket
In large deployments, with several users creating personal access tokens, it’s essential for the System Admin to be able to find, manage and revoke these tokens as needed.
Some of this is currently handled by “Manage Tokens” option in the Users page, but the functionality is limited and tokens can only be viewed per users. There isn’t a single list of tokens available in the UI.
A Tokens page is a key request from some customers with respect to personal access tokens.
1) Add a “Personal Access Tokens” page to the System Console, listed below “Users” in the sidebar.
The list includes
- Token ID and Token Description
- User who created the token
- Option to delete the token on the right
Tokens are sorted by
- Alphabetically by token id.
Admin can search tokens by
- token ID
- user ID
2) Deleting the token - Clicking “Delete” will bring up a confirmation dialog similar to the one below when deactivating a user, with:
Title: Delete Token
Any integrations using this token will no longer be able to access the Mattermost API. You cannot undo this action.\n\nAre you sure want to delete the [description] token?
Buttons: Cancel // Delete
Hitting “Cancel” closes the popup and does no action. Hitting “Delete” deletes the token.
3) Add a client side telemetry event when a System Admin deletes a token via System Console > Access Tokens
Please use category: ‘system_console_tokens’ for the telemetry entry, in order for it to be distinguished from a System Admin deleting a token from the System Console > Users page.
4) Update the System Console > Custom Integrations help text for enabling a personal access token to:
When true, users can create personal access tokens for integrations in Account Settings > Security. They can be used to authenticate against the API and give full access to the account.
To manage who can create personal access tokens or to search users by token ID, go to the Reporting > Users page. To manage tokens, go to the Reporting > Personal Access Tokens page.