Personal Access Tokens

Announcements
1

Personal Access Tokens

We’ve been thinking a lot about what it means for Dradis to be genuinely ready for agentic workflows. An AI agent or automated script that can read your findings, enrich them, update severity ratings, pull in remediation notes, and hand everything back without a human in the loop for every step. Personal Access Tokens are the foundation that makes all of that possible safely.

The Problem

If you’ve ever used the Dradis API, you know what the current setup looks like: one token, full access, no expiry. It works, but it’s the wrong model once you’re handing credentials to an agent or an automated pipeline. Every integration gets the same all-or-nothing key. You can’t tell a vulnerability triage agent “you may read and update issues, but you can’t touch reports or delete anything.”.

What We Built

Personal Access Tokens let you create multiple tokens, each with its own name, scope set, and optional expiry.

When you create a token, you pick exactly which resources and actions it’s allowed to use. For example, an agent that’s triaging findings gets issues:read, issues:create, issues:update, and the node context it needs. Nothing else.

The new token form showing "Vulnerability Triage Agent" as the name, with Issues read/create/update, Evidence read, and Nodes read checked, and a 90-day expiry selected
The new token form showing "Vulnerability Triage Agent" as the name, with Issues read/create/update, Evidence read, and Nodes read checked, and a 90-day expiry selected1440×1488 130 KB

You can also go further with Conditions, which let you restrict a token to a specific project or team. An agent you’re running for one client engagement can’t accidentally read or write to another project, even if it wanted to.

The Conditions section open, showing "Caprica Red Team Assessment 2026" selected under Restrict to Projects
The Conditions section open, showing "Caprica Red Team Assessment 2026" selected under Restrict to Projects1440×898 65.6 KB

After creation, the full token is shown exactly once. Copy it and store it in your secrets manager. We only keep a hash of the secret from that point on.

The Token Created screen showing the full dradis_pat_ token string with a "copy this token now" warning, scopes summary, and expiry date
The Token Created screen showing the full dradis_pat_ token string with a "copy this token now" warning, scopes summary, and expiry date1440×898 53.7 KB

Back on the token list, you get a live view of all your active tokens: what scopes they have, when they expire, when they were last used. Revoke any of them individually without touching the others.

The Personal Access Tokens list with three tokens: CI/CD Pipeline, Reporting Export Script, and Vulnerability Triage Agent, with scopes, expiry, and last-used visible for each
The Personal Access Tokens list with three tokens: CI/CD Pipeline, Reporting Export Script, and Vulnerability Triage Agent, with scopes, expiry, and last-used visible for each1440×898 112 KB

Why It Matters for Agents

The security operations space is moving fast toward agentic tooling. Scripts and LLM-based agents that can take action in your tools, not just read from them. For that to work in practice, you need to be able to grant a specific agent a specific permission set, scoped to the work it’s actually doing, with an expiration date, and the ability to revoke it the moment the engagement is over or something looks off.

That’s exactly what this gives you. One token per agent or integration. Narrowest possible scope. Short expiry where it makes sense. If something goes wrong, revoke that token, and the rest of your setup keeps running.

The legacy API token still works for now, but we’re deprecating it in a future release. If you’re using it, now’s the time to start migrating to scoped tokens.

Try It

Head to your profile and click Personal Access Tokens. This is shipping in the next Dradis release.

We’re curious what agents or automations you’re already running against Dradis, or thinking about building. Drop it in the comments.