Skip to main content

Sign In with Personal Access Tokens

Nhost allows you to sign in users with personal access tokens (PAT) which is a way to sign in users without an email address or password.



Personal Access Tokens can only be created through Hasura Auth or the Nhost JavaScript SDK at the moment.

Create a Personal Access Token

Users must be signed in to create a personal access token. Once a user is signed in, they can create a personal access token.

Example: Create a personal access token:

const expiresAt = new Date( + 1000 * 60 * 60 * 24 * 30) // 30 days
const metadata = { name: 'Example PAT' } // Optional metadata

const { data, error } = await nhost.auth.createPAT(expiresAt, metadata)

// Something unexpected happened
if (error) {

console.log( // The personal access token ID (can be used to delete the token later)
console.log(data.personalAccessToken) // The personal access token

Users can create multiple personal access tokens. Each token can have a different expiration date and metadata.

Sign In

Once a user has created a personal access token, they can use it to sign in.

Example: Sign in with a personal access token:

const { error, session } = await nhost.auth.signInPAT('<personal-access-token>')

// Something unexpected happened
if (error) {

// User is signed in

List or Remove Personal Access Tokens

To list and remove personal access tokens, use GraphQL and set permissions on the auth.refresh_tokens table:

Example: Get all personal access tokens for a user:

query personalAccessTokens($userId: uuid!) {
authRefreshTokens(where: { _and: [{ userId: { _eq: $userId } }, { type: { _eq: pat } }] }) {

Example: Remove a personal access token:

mutation removePersonalAccessToken($id: uuid!) {
deleteAuthRefreshToken(id: $id) {