Skip to main content
This feature is in public preview.
Tokens authenticate with the SF Compute API. Use tokens for CI/CD pipelines, automation, and service accounts. Tokens use the sk_live_ prefix.

Creating a token

Tokens are scoped to the organization, not to a workspace. 
sf tokens create --name deploy
The token value (sk_live_...) is shown once at creation. Store it somewhere safe — you can’t retrieve it again. Tokens can have an optional expiry. Pass a duration with --expires. 
sf tokens create --name deploy --expires 90d
The default expiry is 90 days if neither --expires nor --no-expire is passed. Pass --no-expire to create a never-expiring token non-interactively.

Attaching a role

A token with no role attached cannot do anything. Attach a role at creation time with --role: 
sf tokens create --name ci-deploy --role training-operator
--role can be passed multiple times to attach more than one role. Running sf tokens create without --role shows an interactive multi-select picker over your available roles. Roles attached this way apply organization-wide. To scope a token’s role to a single workspace, or to grant a role to an existing token, create the grant explicitly with sf grants create. See Grants.

Listing tokens

sf tokens list

NAME     SUFFIX   CREATED                LAST USED  EXPIRES
deploy   ...FHbI  Mar 1, 2025, 12:00pm   Never      May 29, 2025, 12:00pm
admin    ...XyZ1  Feb 15, 2025, 9:00am   Never      May 15, 2025, 9:00am

Deleting a token

sf tokens delete deploy
Revocation is immediate. In-flight requests authenticated with the token will fail.

Using a token

See Using the API to authenticate requests with your token.