> ## Documentation Index
> Fetch the complete documentation index at: https://docs.orderprotection.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Personal Access Tokens

> Create user-scoped API tokens to access your own account's data — no app install required.

Personal Access Tokens (PATs) let you call the OrderProtection API directly for the stores **you** already have access to, without building and installing an app. They're the fastest way to script against your own data — pulling analytics, reading orders, or automating claim workflows.

<Note>
  **PAT vs. OAuth — which do I use?**

  * Use a **Personal Access Token** to access **your own account's stores** — internal scripts, data exports, back-office automation. No app, no marketplace, no install step.
  * Use **[OAuth](/developer/authentication)** to build an **app that other merchants install**. The app receives tokens scoped to whatever each merchant granted at install time.
</Note>

## How a PAT is scoped

A PAT inherits the identity of the user who created it:

* **Account** — the token is permanently bound to your account. It can only ever read data belonging to that account. This binding is fixed at creation time and does not change afterward.
* **Stores** — the token can only act on stores where you have a role. If you lose access to a store, the token loses it too.
* **Scopes** — you choose a subset of your permissions when creating the token (see [Scopes](#available-scopes) below). A token can never exceed the permissions you already hold.

<Warning>
  A PAT cannot grant access you don't already have. If you don't have a role on a store, you cannot create a token for it — the store will be rejected with a "Store denied" error.
</Warning>

## Creating a token

Create and manage Personal Access Tokens from your OrderProtection dashboard:

1. Click your **avatar** in the top corner, then select **Personal Access Tokens**.
2. Click **Create token**, give it a name, and select the **stores** and **scopes** it should carry.
3. (Optional) Set an expiration date.
4. Click **Create**. The full token is shown **once** — copy it immediately and store it somewhere safe.

<Warning>
  The raw token value is revealed only at creation. If you lose it, revoke the token and create a new one — it cannot be shown again.
</Warning>

## Token format

Personal Access Tokens are prefixed with `op_pat_`:

```
op_pat_8508b7432c45f79827460fea_ajhnyH-9t8Jy4j8JyNtKVak2efAhJ88R...
```

## Using a token

Send the token as a Bearer token in the `Authorization` header — exactly like an OAuth access token:

<CodeGroup>
  ```bash cURL theme={null}
  curl -X GET "https://api.production.orderprotection.com/v1/analytics/tables/orders" \
    -H "Authorization: Bearer op_pat_8508b7432c45f79827460fea_ajhnyH..."
  ```

  ```javascript Node.js theme={null}
  const response = await fetch(
    "https://api.production.orderprotection.com/v1/analytics/tables/orders",
    {
      headers: { Authorization: "Bearer op_pat_8508b7432c45f79827460fea_ajhnyH..." },
    }
  );
  const body = await response.json();
  ```
</CodeGroup>

Because a PAT can be scoped to multiple stores, endpoints that support multiple stores will return data for **all** of the token's authorized stores by default. Use the `store_ids` query parameter to narrow a request to specific stores.

## Available scopes

A Personal Access Token can carry any subset of the following scopes. Scope names use the `domain:verb` format.

| Scope                | Description                                                                                 |
| -------------------- | ------------------------------------------------------------------------------------------- |
| `analytics:read`     | Read store analytics and reporting data (see the [Analytics API](/developer/analytics-api)) |
| `order:read`         | Read order data                                                                             |
| `order:update`       | Create and update orders                                                                    |
| `claim:read`         | Read claim data and status                                                                  |
| `claim:create`       | File new claims                                                                             |
| `claim:update`       | Update existing claims                                                                      |
| `order-note:read`    | Read order notes                                                                            |
| `order-note:create`  | Add order notes                                                                             |
| `order-note:update`  | Update order notes                                                                          |
| `order-note:delete`  | Delete order notes                                                                          |
| `fulfillment:read`   | Read fulfillment data                                                                       |
| `fulfillment:create` | Create fulfillments                                                                         |
| `fulfillment:update` | Update fulfillments                                                                         |

<Note>
  A token only receives the scopes you select **and** already hold. Selecting a scope you don't have will be rejected at creation.
</Note>

## Revoking a token

Revoke a token at any time from your **avatar → Personal Access Tokens**. Revocation takes effect immediately — any further requests using that token return `401 Unauthorized`.

<Tip>
  Rotate tokens periodically and revoke any token that may have been exposed. Treat a PAT like a password: never commit it to source control or embed it in client-side code.
</Tip>
