Access Control

Access Control

The Access Control section covers how your account is secured, how API access is managed, and how platform activity is tracked.

It contains three areas:

• API Tokens -- Create and manage tokens that allow your applications, scripts, and automation to authenticate with the Stacuity API without requiring a user login.
• Audit Activity -- A tamper-proof log of every administrative and configuration change made to your account, available for compliance, incident investigation, and operational accountability.
• Credentials -- Store and manage authentication credentials used by other parts of the platform, such as SMPP credentials referenced by Event Handlers.

Access Control Model

At present, all users with a Customer Portal account have access to all features within it. Configuration is account-wide. Anything set up by one user is visible and editable by any other user on the same account.

Overview

API Tokens allow your applications, scripts, and automation to interact with the Stacuity API without requiring a user login.

Navigate to Access Control → API Tokens.

The list shows each token's Name, Enabled status, and Created (UTC) timestamp.

1. Click Create a Token.
2. Enter a Name to identify the token.
3. The Enabled toggle is on by default. Leave it enabled unless you want to create the token in a disabled state.
4. Click Create.

After creation, the portal displays the token value once. Copy it immediately using the Copy to Clipboard button. It is not shown again.

The portal also provides a curl command you can use to test the token immediately:

curl -X GET "https://api.stacuity.com/api/v1/apitokens/verify" -H "Authorization: Bearer <your-token>" -H "Content-Type:application/json"

Token Security

• Never commit tokens to source code repositories. Use environment variables or a secrets manager.
• Revoke tokens immediately when a system is decommissioned or an integration changes.
• Use the Enabled toggle to temporarily disable a token without deleting it.

Editing a Token

1. Click the edit icon next to the token.
2. Update the Name or toggle the Enabled state.
3. The token value is shown masked. Click the reveal icon to see it, or click Copy Token to Clipboard to copy it.
4. Click Update.

Revoking a Token

1. Click the delete icon next to the token.
2. Confirm deletion.

Revocation is immediate. Any system using the token will receive 401 Unauthorised responses from the API.

Using the API

Include the token as a Bearer token in all API requests:

Authorization: Bearer <token>

Audit Activity

Audit Activity contains a history of administrative and configuration changes applied to Endpoints, Groups and Policies.

Overview

The Audit Activity log records every administrative and configuration change made to your account. It cannot be modified or deleted, and is available for compliance purposes, incident investigation, and operational accountability.

Navigate to Access Control → Audit Activity.

List View

Event Detail

Click the arrow on any audit row to expand it and see the full JSON record. The expanded view shows a structured before/after diff for updates, for example:

{
  "update": {
    "prior": {
      "name": "my-token",
      "allowLogin": true
    },
    "after": {
      "name": "my-token",
      "allowLogin": false
    }
  },
  "auditType": "Updated",
  "auditObject": "ApiToken"
}

Credentials

Credentials are used for authentication with Stacuity and external services.

Overview

The Credentials section stores authentication credentials used by other parts of the platform, such as SMPP credentials referenced by Event Handlers.

Navigate to Access Control → Credentials.

The list shows each credential's Name, Moniker, Type, Created (UTC), and Updated (UTC).

Creating a Credential

1. Click Add.
2. Fill in the fields and click Create.

Available credential types include SMPP and others depending on your account configuration. Select the type that matches the service you are authenticating with.