Skip to content

Authentication

API tokens let you talk to the Gamemanage API from scripts, CI, or your own tools. They are separate from the per-server panel key you paste into the agent. A panel key reports a single server into the panel over its outbound connection. An API token authenticates you against the panel itself and can reach every server your account has access to.

Create a token

Tokens are created in the panel, not from the CLI. Open settings and generate one, then give it a scope before you save.

  1. 1Open the panel and go to Settings, then API tokens.
  2. 2Click Create token and give it a name you will recognize later, like ci-deploy or backup-script.
  3. 3Pick a scope: read-only for monitoring and reads, or control for actions that change a server (console commands, restarts, config writes, rollbacks).
  4. 4Copy the token value now. It is shown once and cannot be retrieved again.

Note: The token value is displayed a single time at creation. There is no way to view it again afterward. If you lose it, revoke that token and create a new one rather than trying to recover it.

Authenticate a request

Pass the token in the Authorization header as a bearer token on every request.

curl https://api.gamemanage.net/v1/servers \
  -H "Authorization: Bearer gm_tok_xxxxxxxxxxxxxxxx"

Keep the token out of source control. Read it from an environment variable instead of pasting it into a script.

export GM_TOKEN=gm_tok_xxxxxxxxxxxxxxxx

curl https://api.gamemanage.net/v1/servers \
  -H "Authorization: Bearer $GM_TOKEN"

Scopes

Scope each token to the least it needs. A read-only token can list servers and read status (players, CPU, memory, uptime, logs) but cannot change anything. A control token can also send console commands, edit config and files, and trigger backups and rollbacks. Use read-only for dashboards and alerting. Use control only where you actually mutate state, such as a deploy step.

Rotate and revoke

You can rotate or revoke a token at any time from the same settings page. Revoking takes effect immediately and any request using that token starts failing. To rotate without downtime, create the new token first, update wherever the old one is used, confirm the new token works, then revoke the old one.

Revoking an API token has no effect on your servers. The agent connection uses the per-server panel key, not your API token, so the server keeps reporting into the panel either way.

← PreviousREST APINext →Webhooks
Still stuck? Ask in Discord or contact the team.