Learn about types of access tokens and how to use them.
When setting up CI or writing a script to help manage your projects, we recommend avoiding using your username and password to authenticate. With these credentials, anyone will be able to log in and use your account.
Instead of providing credentials, you can generate tokens that will allow you to manage each integration point separately. Anyone who has access to these tokens will be able to perform actions against your account. Please treat them with the same care as a user password. In case something is leaked, you can revoke these tokens to block access.
You can create Personal access tokens from the Access tokens on your dashboard. Anyone with this token can perform actions on your behalf. That applies to all content on your Personal Account, as well as any Personal Accounts or Organizations that you have been granted access to.
Accounts can create Robot users to take actions on resources owned by the Account. Bot Users can be assigned a role to limit the actions they are authorized to perform. Bot users cannot sign in to any Expo products, cannot own any projects themselves, and can only authenticate via an access token.
You can use any tokens you have created to perform actions with the Expo CLI (other than signing in and out). To use tokens, you need to define an environment variable, like
EXPO_TOKEN="token", before running commands.
If you are using GitHub Actions, you can configure the
token property to include this environment variable in all of the job steps.
Common situations where access tokens are useful:
In case a token is accidentally leaked, you can revoke it without changing your username and password. When you revoke the access token, you block all access to your account using this token. To do this, go to the Access Token page on your dashboard and delete the token you want to revoke.