Create an API token
Mint, store, and revoke Hoursmith API tokens from Settings → API. Tokens are shown once and inherit your role.
API tokens are how scripts, integrations, and the MCP server authenticate as you. You create them in the app.
- Plan
- StudioAgency
API access requires Studio or Agency. Any active member can mint a token for themselves; the token inherits that member's role and project access.
Create a token
Open Settings → API
Go to Settings → API in the app (https://hoursmith.app/settings/api).
Create a new token
Give it a recognizable name (e.g. "Zapier", "CI deploy", "My laptop") so you can tell tokens apart later. Create it.
Copy the token now
The full token (hsk_…) is shown once. Copy it immediately into your environment variable or
secrets manager — you can't view it again. If you lose it, revoke it and create a new one.
Store it safely
# .env (never commit this)
HOURSMITH_API_TOKEN=hsk_live_4f8a2c1bdedf_9X3kQp7vT2nM5wRzL8sJyB6FhA1uC0gEHoursmith only ever stores a hash of the secret, so support can't recover a lost token — and neither can an attacker who reads the database.
Who can see and revoke tokens
- You can see and revoke the tokens you created.
- Owners and Admins can also see and revoke every token in the workspace — useful when someone leaves the team.
Removing a member automatically invalidates their tokens.
Rotate a token
To rotate: create a new token, update wherever the old one is used, then revoke the old one. Revocation takes effect immediately on the next request.
What a token can do
A token acts as the member who created it:
- Owner / Admin tokens reach the whole workspace.
- Manager tokens can read everything and create/update clients, projects, tasks, and time.
- Member tokens are limited to their own time entries and the projects they're on, and can't touch invoices, expenses, or clients.
See Permissions & plans for the details.
Treat a token like a password. Anyone with it can act as you, up to your role's permissions, until it's revoked.