Write-token management

Definition

Write-token management is where you mint, list, and revoke the tokens that authorize guarded write actions, like issuing a refund. Each token is minimum-scope, shown once at creation, stored encrypted with KMS, and every use is audited. You hand out only the power an action needs, see what is live, and revoke any token the moment you stop trusting it.

How to do this in Quri

1. Open write-token management from /app/settings.
2. Mint a token scoped to only the action it needs to authorize.
3. Copy the token at creation — Quri shows it once and never again.
4. List your live tokens and revoke any you no longer trust.

Frequently asked

What can a write token actually do?

Only the action it was scoped for. Tokens are minimum-scope by design, so a token minted for one guarded write cannot quietly authorize others. You grant exactly the power an action requires, nothing more.

Why is the token shown only once?

Showing it once and storing it KMS-encrypted means the raw secret never sits in plain sight after creation. Copy it then; if you lose it, revoke the old token and mint a new one.

Can I tell who used a token and when?

Yes. Every use of a guarded write action is recorded in an audit log — who, what, when, the arguments, and the result — so token activity is always accountable.

Related terms

• Account settings
• Hard account delete
• Source auto-connect
• Custom login page