A CodeAnt token authenticates to CodeAnt, not to your Git provider. It always starts with the prefix
cdt_ and is scoped to a single provider + organization.Create a token
- Open CodeAnt AI, then open the user menu (click your email at the bottom-left of the sidebar) and select API Tokens.
- Click Create token.
- Check the Bound to chip - it shows the provider and organization the token will belong to. Tokens are scoped to the workspace you’re currently in, so switch workspaces first if you need a token for a different organization.
-
Give the token a descriptive name (for example
ci-coverageorautomation-token). Names can be up to 60 characters. -
Choose the token’s Scope (optional, but recommended - see Permissions and scopes):
- Role - pick a role that grants only the permissions the token needs: Codeant CI/CD for pipeline tokens (scans, quality gates, coverage), Codeant Member for read-only reporting, Codeant Admin for full access, or any custom role defined in Access Control. Leave it on Full access (no restriction) for an unscoped token.
- Repositories - once a role is chosen, restrict the token to specific repositories, or tick All repositories to cover the whole organization (including repos added later).
- Click Create token.
-
Copy the token immediately. It starts with
cdt_and is shown only once - for security, the full value is never displayed again. Store it in your secret manager or CI secret store. CodeAnt only keeps the last 4 characters for identification.
Use a token
CI pipelines Add the token to your pipeline as a secret, then pass it as the access-token input of the CodeAnt coverage, scan, or quality-gate step. See: REST API Send the token as a bearer token in theAuthorization header:
Permissions and scopes
A token can be limited by a role (which product areas / actions it may use) and a repository scope (which repos it may touch). Any request outside the token’s scope is refused with HTTP403 and a body like:
Roles
Roles are defined in Access Control (Settings → Access Control). Three presets ship by default; admins can also create custom roles.| Role | Grants |
|---|---|
| Codeant CI/CD | Everything a pipeline needs - trigger & read scans, quality gates, and coverage upload |
| Codeant Member | Read access to AI Code Review, Code Quality, Code Security, and Cloud Security |
| Codeant Admin | Full access to every action |
Repository scope
- All repositories - the token works across the whole organization, including repositories added later.
- Specific repositories - the token only works on the repositories you select. Any other repository returns
403with “This token isn’t scoped to<repo>”.
Permission required per API area
A permission reflects the product area of the data, so the same permission gates the dashboard and the API.cicd is reserved for pipeline plumbing that has no dashboard equivalent.
| API / operation | Endpoints | Required permission |
|---|---|---|
| Read SAST / SCA / secrets / SBOM results, trigger scans, scan history | /api/analysis/… | Code Security (read) |
| IaC results | /api/analysis/results/iac | Cloud Security (read) |
| Anti-pattern (code quality) results | /api/analysis/results/antipatterns | Code Quality (read) |
| AI agent scans | /api/agents/… | AI Code Review (read) |
| DAST scans | /analysis/ci/dast/… | Cloud Security (read) |
| Quality gates, full-scan gate, test-coverage upload | /analysis/ci/quality-gates/…, /api/full-scan-gate/…, /pr/analysis/coverage/… | CI/CD (read) |
| Team management | /api/metrics/developer/teams/… | Organization (read; write for create/update/delete) |
| Engineering / DORA metrics | /api/metrics/developer/… | Engineering Metrics (read) |
| Account users & subscriptions | /api/account/… | Organization (read; write for changes) |
The Codeant CI/CD role covers the entire CI surface above (scans, quality gates, coverage) plus read access to the security/quality areas a pipeline gates on - so a single CI token needs only this one role.
Creator cap & existing tokens
- A token can never exceed the access of the person who creates it. If you request more than you have, creation is rejected with a
403explaining which permission exceeded your access. - Backwards compatible: tokens created before scoping existed - and raw VCS provider tokens (GitHub / GitLab / Bitbucket / Azure DevOps PATs) used directly against the API - keep full access. Scoping only applies to new tokens you explicitly scope.
Manage and revoke tokens
The API Tokens page (open the user menu - your email at the bottom-left of the sidebar - and select API Tokens) lists every token for the current workspace, each showing a masked value (cdt_••••last4), the provider and organization it’s bound to, when it was created, and whether it’s Active or Revoked.
To revoke a token, hover over it and click the trash icon, then confirm Delete token. Revocation is immediate and irreversible - any client still using that token loses access right away.