API Tokens

API tokens let third-party apps access the Notaday API without using the interactive Google login flow.

Create A Token

Open Notaday.
Go to Profile.
Find API Tokens.
Select New Token.
Enter a recognizable name, such as Zapier sync or Personal CLI.
Create the token.
Copy the full token immediately.

The full token is shown only once. After creation, Notaday stores a SHA-256 hash and displays only a masked version.

Use A Token

Send the token as a Bearer token:

curl http://localhost:4000/entries \
  -H "Authorization: Bearer ntd_your_token_here"

List Tokens

GET /users/me/api-tokens
Authorization: Bearer <jwt>

Returns active tokens for the authenticated user:

[
  {
    "id": "507f1f77bcf86cd799439011",
    "name": "Personal CLI",
    "maskedToken": "ntd_abc******************wxyz",
    "createdAt": "2026-05-04T10:30:00.000Z",
    "lastUsedAt": "2026-05-04T11:00:00.000Z"
  }
]

Create Token Endpoint

POST /users/me/api-tokens
Authorization: Bearer <jwt>
Content-Type: application/json

Request:

{
  "name": "Personal CLI"
}

Response:

{
  "id": "507f1f77bcf86cd799439011",
  "name": "Personal CLI",
  "maskedToken": "ntd_abc******************wxyz",
  "createdAt": "2026-05-04T10:30:00.000Z",
  "token": "ntd_full_token_value_returned_once"
}

Revoke A Token

DELETE /users/me/api-tokens/{id}
Authorization: Bearer <jwt>

Successful revocation returns 204 No Content. Revoked tokens can no longer authenticate API requests.

Security Recommendations

Store tokens in a secret manager or encrypted environment variable.
Never expose tokens in browser-side code, public repositories, screenshots, or logs.
Create one token per integration so access can be revoked independently.
Rotate tokens if a machine, vendor, or log store may have exposed the value.
Treat the token like a password for the user's Notaday account data.