Tokeno is the self-hosted token & access management platform built for teams that ship fast. Issue, revoke, and audit access tokens for every app — from one clean dashboard.
Purpose-built for teams managing access across multiple applications, environments, and user roles.
Issue, revoke, and extend access tokens from a single dashboard. Every change is instant and audit-logged. Supports expiry presets, custom dates, or never-expire tokens.
Pull-sync your client app against Tokeno's API — revoked tokens are denied at your gate within seconds of the next sync. No stale credentials sitting in your system.
Six built-in roles — from Platform Admin to read-only Auditor. Each role has precise permissions so your team works at the right access level without accidental mutations.
Every action — token issued, user invited, role changed, company suspended — is recorded with actor, timestamp, and detail. Export to CSV for compliance reporting.
Get instant push notifications for every token lifecycle event — created, revoked, extended, expiring. Each webhook is signed with your app's HMAC secret so you can verify authenticity.
Swagger UI and Python playground built in. Try every endpoint live — HMAC auto-signing via Web Crypto, management key auth, real responses. No Postman setup needed.
No YAML sprawl, no OAuth dance, no third-party dependency. Three steps and your first app is protected.
Name your application, set its base URL, and choose your access criteria model (domain, tenant, role, environment). Tokeno generates a unique HMAC secret shown once — drop it in your .env.
Invite users by email, assign roles and teams. They receive a branded onboarding email with a one-time link. Three-step onboarding: password → OTP → profile. Done.
Issue tokens to users from the dashboard. Drop tokeno_client.py into your app, call client.sync(), and gate any route with a single lookup. Access controlled.
Every company gets Core by default. Unlock Auth Bridge when you need Tokeno to also handle your login page.
Everything you need to manage who has access to what across all your applications — without touching your existing auth stack.
Let Tokeno serve the login page for your app. Users sign in on Tokeno's domain — credentials never touch your servers. Perfect for fresh projects or internal tools with no existing auth.
tokeno_client.py login helpers included
# Drop this into any Python app from tokeno_client import TokenoClient client = TokenoClient( app_slug = "customer-portal", company_slug = "acme-corp", hmac_secret = "your-secret-from-tokeno", base_url = "https://tokeno.acme.com", ) # Pull latest tokens + revocation list client.sync() # Gate a route in Flask / FastAPI / Django def require_access(user_email): token = client.find_token_by_email(user_email) if not token: abort(403) # no token → no access return token # Check fine-grained criteria if token["criteria_value"] != "premium": abort(403) # wrong tier → blocked # Revoke in Tokeno → access denied on next sync
No SDK sprawl, no vendor lock-in. A single Python file is all your app needs. Tokeno speaks plain HTTP with HMAC-signed requests — works with any language or framework.
Six built-in roles mean you never have to give someone more access than they need.
Manages the whole platform — companies, onboarding, email system, superadmin accounts, and global settings.
Full control over their organisation — inviting users, registering apps, managing tokens, and configuring API keys.
Read-only access to all org data — users, tokens, audit trail. Perfect for compliance reviews without mutation risk.
Manages tokens for specific apps — create, revoke, extend. Cannot touch users, teams, or org-level settings.
Approves or rejects member access requests for their teams. Streamlines the access workflow without involving admins.
End users who view their own tokens, submit access requests, and track request status — all in a clean self-service portal.
Submit your company request and get provisioned within minutes. No credit card. No SaaS subscription. Your data stays on your infrastructure.