Improved API tokens for

June 23, 2023 · Tobias Bieniek on behalf of the team

If you recently generated a new API token on, you might have noticed our new API token creation page and some of the new features it now supports.

Previously, when clicking the "New Token" button on, you were only provided with the option to choose a token name, without any additional choices. We knew that we wanted to offer our users more flexibility, but in the previous user interface that would have been difficult, so our first step was to build a proper "New API Token" page.

Our roadmap included two essential features known as "token scopes". The first of them allows you to restrict API tokens to specific operations. For instance, you can configure a token to solely enable the publishing of new versions for existing crates, while disallowing the creation of new crates. The second one offers an optional restriction where tokens can be limited to only work for specific crate names. If you want to read more about how these features were planned and implemented you can take a look at our corresponding tracking issue.

To further enhance the security of API tokens, we prioritized the implementation of expiration dates. Since we had already touched most of the token-related code this was relatively straight-forward. We are delighted to announce that our "New API Token" page now supports endpoint scopes, crate scopes and expiration dates:

Screenshot of the "New API Token" page

Similar to the API token creation process on, you can choose to not have any expiration date, use one of the presets, or even choose a custom expiration date to suit your requirements.

If you come across any issues or have questions, feel free to reach out to us on Zulip or open an issue on GitHub.

Lastly, we, the team, would like to express our gratitude to the OpenSSF's Alpha-Omega Initiative and JFrog for their contributions to the Rust Foundation security initiative. Their support has been instrumental in enabling us to implement these features and undertake extensive security-related work on the codebase over the past few months.