Access tokens
Create and manage scoped bearer tokens for programmatic access to your account.
Access tokens are the single, unified credential type for everything except the UTM web app login. They replace the older "API keys" and "Connected apps" surfaces, which were functionally identical and now share one storage primitive, one settings page, and one set of scopes.
Issuing an access token requires the ADVANCED or PRO subscription tier, depending on the cap your plan sets.
Creating an access token
- Navigate to Settings -> Access tokens.
- Stay on the Personal tokens tab and click New token.
- Enter a descriptive label (e.g.
TradingView Webhook). - Select the scopes the consumer needs.
- Optionally set an expiry date. If you leave it blank the token lives for one year.
- Click Create token.
- Copy the token immediately. It is not shown again.
Tokens are prefixed with dt_ and stored as bcrypt hashes server-side.
Using an access token
Include the token in the Authorization header using the Bearer scheme:
curl https://api.universaltrademanager.com/api/v1/trades \
-H "Authorization: Bearer dt_your_token_here"
const response = await fetch(
"https://api.universaltrademanager.com/api/v1/trades",
{
headers: {
Authorization: "Bearer dt_your_token_here",
},
},
);
const { trades } = await response.json();
The legacy X-API-Key: utm_* header still works for tokens issued before the unification and continues to authenticate against the same scope checks.
Scope enforcement
A request is rejected with 403 Forbidden if the token does not have the required scope for the endpoint being called.
# Token has trading:read but not signals:write
curl -X POST https://api.universaltrademanager.com/api/v1/signals/ingest \
-H "Authorization: Bearer dt_your_token_here"
# -> 403 Insufficient scope
See Scopes for the full categorical scope catalogue.
Plan limits
| Tier | Access tokens allowed |
|---|---|
| Free | 0 |
| Basic | 0 |
| Advanced | 0 |
| PRO | 10 |
A create request that would exceed your plan's cap is rejected with 403 Forbidden and a structured body:
{
"error": "Maximum 10 connected apps allowed on your plan.",
"code": "CONNECTED_APP_LIMIT_REACHED"
}
In the web UI, when your plan does not include access tokens the page renders an upgrade prompt in place of the create button. When your plan includes access tokens but you have reached the cap, the create button is disabled and a tooltip names the limit and links to the upgrade page.
Token expiry
Tokens expire after one year by default. Override the lifetime when issuing the token. Expired tokens return 401 Unauthorized.
Revoking an access token
- Navigate to Settings -> Access tokens.
- Click the trash icon next to the token row.
- Confirm the revocation.
The token is invalidated immediately. The revocation cannot be undone; issue a new token to replace it.
Desktop sessions
The Desktop devices tab on the same page lists the sessions issued by the UTM desktop app. Those tokens are issued by the desktop login flow, not from this settings page, and are view-only here. Sign out from the desktop app to retire a session.
Security best practices
- Treat access tokens like passwords. Never commit them to source control.
- Store tokens in environment variables in the consuming application.
- Grant the minimum scopes the integration needs.
- Revoke tokens that are no longer in use.
- Rotate tokens periodically by revoking the old one and issuing a fresh one.