Authentication
API token scopes, security practices, and handling auth errors.
Authentication
The ServerOps API uses Bearer token authentication. Every request must include a token in the Authorization header.
Header format
Authorization: Bearer so_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxTokens begin with so_live_ for production and so_test_ for test environments.
Creating tokens
Tokens are created from your dashboard. When creating a token you choose:
- Name: a label for your reference (e.g. "FiveM Production Server")
- Scopes: what the token is allowed to do
Scopes
Scopes follow the pattern product:action. A token only grants access to the specific operations listed - all others return 403 Forbidden.
| Scope | What it allows |
|---|---|
media:read | Download and list files |
media:write | Upload and delete files |
logs:read | Query log entries |
logs:write | Ingest log entries |
cases:read | Read moderation cases |
cases:write | Create and update cases |
members:read | List organisation members |
members:write | Invite and remove members |
usage:read | Read quota usage snapshots |
Principle of least privilege
Issue tokens with only the scopes they need. A script that only uploads files should have media:write and nothing else. If that token is ever compromised, the blast radius is limited to file uploads.
Token storage
Never hardcode tokens in source code. Use environment variables or platform-specific config:
| Platform | Where to store the token |
|---|---|
| FiveM | set serverops_token "..." in server.cfg, read with GetConvar() |
| Roblox | ModuleScript in ServerStorage (never ReplicatedStorage) |
| Oxide (Rust) | oxide/config/YourPlugin.json, loaded via Oxide's config API |
| Paper (Minecraft) | plugins/YourPlugin/config.yml, loaded via getConfig() |
| Node.js | process.env.SERVEROPS_TOKEN |
| Go | os.Getenv("SERVEROPS_TOKEN") |
Error responses
401 Unauthorized
The token is missing, malformed, or has been revoked.
{
"error": {
"code": "unauthorized",
"message": "missing or invalid token"
}
}Check that the Authorization header is present and the token value is correct.
403 Forbidden
The token is valid but does not have the required scope for the operation.
{
"error": {
"code": "forbidden",
"message": "token does not have media:write scope"
}
}Create a new token with the correct scope.
Token rotation
Rotate tokens periodically or immediately if you suspect they have been exposed:
- Create a new token with the same scopes.
- Update your server config to use the new token.
- Delete the old token from the dashboard.
There is no downtime if you update and reload your server config before deleting the old token.