Access Tokens
Access tokens are project-scoped API keys used to authenticate the Qualflare CLI, automated scripts, and integrations. Each token provides read and write access to the project's test data via the public API.
Accessing Tokens
Go to Project Settings → Access Tokens to manage your project's tokens.
Creating a Token
- Click New Token
- Enter a descriptive name (e.g., "GitHub Actions", "Local Dev")
- Optionally set an expiration date
- Click Create
- Copy the token immediately — it is only shown once after creation
WARNING
Access tokens are only displayed once at creation. Store it securely in a password manager or as an encrypted CI/CD secret immediately.
Token Fields
| Field | Description |
|---|---|
| Name | A label to identify the token's purpose |
| Created | Date the token was created |
| Expires | Expiration date (if set), or "Never" |
| Status | Active or Revoked |
| Last Used | Last time the token was used to make an API call |
Revoking a Token
Click the Revoke button next to a token to immediately invalidate it. Revoked tokens cannot be restored — create a new token if needed.
Using Tokens with the CLI
Save the token under a local identifier with qf login, then prefix your commands with that identifier:
# Save the token locally
qf login myapp qf_your_token_here
# Upload test results
qf myapp collect results.xml
# In CI/CD — log in with --force to skip the interactive prompt
qf login ci "$QF_TOKEN" --force
qf ci collect test-results/*.xmlSee CLI Configuration for details on the identifier model, credentials file location, and available options.
Security Best Practices
- Use one token per environment — separate tokens for local dev, staging, and production
- Store in CI secrets — never commit tokens to source code
- Set expiration dates — rotate tokens regularly (e.g., every 90 days)
- Revoke unused tokens — clean up tokens for tools or environments no longer in use
- Use descriptive names — "GitHub Actions — Production" is clearer than "key1"