管理个人访问令牌Manage personal access tokens

若要向 Azure Databricks REST API 进行身份验证,用户可以创建个人访问令牌并在其 REST API 请求中使用它。To authenticate to the Azure Databricks REST API, a user can create a personal access token and use it in their REST API request. 令牌有一个可选的到期日期,可以被撤销。Tokens have an optional expiration date and can be revoked. 请参阅使用 Azure Databricks 个人访问令牌进行身份验证See Authentication using Azure Databricks personal access tokens.

默认情况下,将为在 2018 年或之后创建的所有 Azure Databricks 工作区启用使用个人访问令牌的功能。The ability to use personal access tokens is enabled by default for all Azure Databricks workspaces that were created in 2018 or later. 工作区管理员可以为所有工作区启用或禁用个人令牌访问权限,不管创建日期是什么时候。Workspace administrators can enable or disable personal token access for all workspaces, regardless of creation date.

工作区管理员还可以监视令牌、控制哪些非管理员用户可以创建令牌,以及为新令牌设置最大生存期。Workspace administrators can also monitor tokens, control which non-admin users can create tokens, and set maximum lifetimes for new tokens.

备注

你还可以让 Azure Databricks 用户使用 Azure Active Directory 令牌而不是 Azure Databricks 个人访问令牌进行 REST API 访问。You can also enable Azure Databricks users to use Azure Active Directory tokens for REST API access instead of Azure Databricks personal access tokens. 如果你的工作区使用 Azure Active Directory 令牌,则本文中的说明不适用。If your workspace uses Azure Active Directory tokens, the instructions in this article do not apply.

为你的工作区启用了生成个人访问令牌的功能时,默认情况下,Azure Databricks 工作区中的所有用户都可以生成个人访问令牌来访问 Azure Databricks REST API,并且可以使用所需的任何到期日期(包括无限生存期)来生成这些令牌。When the ability to generate personal access tokens is enabled for your workspace, by default all users in your Azure Databricks workspace can generate personal access tokens to access Azure Databricks REST APIs, and they can generate these tokens with any expiration date they like, including an indefinite lifetime.

作为 Azure Databricks 管理员,你可以使用令牌管理 API权限 API 来更精细地控制令牌使用。As an Azure Databricks admin, you can use the Token Management API and Permissions API to control token usage at a more fine-grained level. API 在每个工作区实例上发布。The APIs are published on each workspace instance. 若要了解如何访问 API 以及如何向其进行身份验证,请参阅使用 Azure Databricks 个人访问令牌进行身份验证To learn how to access and authenticate to the API, see Authentication using Azure Databricks personal access tokens. 必须以 Azure Databricks 管理员身份访问 API。You must access the API as an Azure Databricks admin.

对于某些任务,还可以使用管理控制台。For some tasks, you can also use the Admin Console.

下表指示了可以使用 Web 应用程序执行的任务,以及可以使用 REST API 执行的任务。The following table indicates the tasks you can perform using the web application and those you can perform using the REST APIs. 对于显示为“是”的单元格,单击此字可以查看相关文档。For the cells that say Yes, click the word to view the related documentation.

任务Task 说明Description 管理控制台Admin Console REST APIREST API
启用/禁用Enable/disable 启用或禁用此工作区的所有令牌Enable or disable all tokens for this workspace Yes Yes
控制谁可以使用令牌Control who can use tokens 将个人访问令牌的创建和使用限制为此工作区中的指定用户和组。Limit personal access token creation and usage to specified users and groups in this workspace. 如果你撤销用户创建和使用令牌的权限,则该用户的现有令牌也会被撤销。If you revoke a user’s permission to create and use tokens, that user’s existing tokens are also revoked. Yes Yes
新令牌的最长生存期。Max lifetime for new tokens. 设置此工作区中新令牌的最长生存期Set the maximum lifetime of new tokens in this workspace No Yes
管理现有令牌Manage existing tokens 对于现有令牌,获取令牌创建者、到期日期和用户提供的令牌说明。For existing tokens, get the token creator, expiration date, and user-provided token description. 撤销不应再有权访问 Azure Databricks API 的用户的令牌。Revoke tokens for users who should no longer have access to Azure Databricks APIs. 通过监视和控制令牌创建情况,可以降低丢失令牌的风险,或降低可能导致从工作区渗透数据的长效令牌的风险。By monitoring and controlling token creation, you reduce the risk of lost tokens or long-lasting tokens that could lead to data exfiltration from the workspace. No Yes

请参阅下图,了解通过 REST API 管理和使用令牌的典型令牌管理流。See the following diagram for the typical flow of token management using the REST API for administration and token usage. 请参阅本主题中的表,了解你还可以使用管理控制台的一组任务。See the table in this topic for the set of tasks that you could alternatively use the Admin Console.

令牌管理Token management

为工作区启用或禁用基于令牌的身份验证 Enable or disable token-based authentication for the workspace

默认情况下,将为在 2018 年或之后创建的所有 Azure Databricks 工作区启用基于令牌的身份验证。Token-based authentication is enabled by default for all Azure Databricks workspaces that were created in 2018 or later. 你可以在管理控制台中更改此设置。You can change this setting in the Admin Console. 若要指定允许哪些用户使用令牌,请参阅控制谁可以使用或创建令牌To specify which users are allowed to use tokens, see Control who can use or create tokens.

若要为工作区启用或禁用个人访问令牌,请执行以下操作:To enable or disable personal access tokens for the workspace:

  1. 转到管理控制台Go the Admin Console.
  2. 选择“访问控制”选项卡。Select the Access Control tab.
  3. 若要启用访问权限,请单击 个人访问令牌 旁边的“启用”按钮。To enable access, click the Enable button next to Personal Access Tokens. 若要禁用访问权限,请单击“禁用”按钮。To disable access, click the Disable button.
  4. 单击“确认”以确认更改。Click Confirm to confirm the change. 此更改可能需要几秒钟的时间才能生效。This change may take a few seconds to take effect.

若要为 REST API 请求使用基于令牌的身份验证,请参阅使用 Azure Databricks 个人访问令牌进行身份验证To use token-based authentication for a REST API request, see Authentication using Azure Databricks personal access tokens.

为工作区禁用基于令牌的身份验证时,不会删除任何令牌。No tokens are deleted when you disable token-based authentication for a workspace. 如果以后重新启用令牌,则任何未过期的令牌会立即变得可供使用。If tokens are re-enabled later, any non-expired tokens are immediately available for use.

如果要对部分用户禁用令牌访问权限,请始终为该工作区启用基于令牌的身份验证,并为用户和组设置细化的权限。If you want to disable token access for a subset of users, keep token-based authentication enabled for the workspace and set fine-grained permissions for users and groups. 请参阅控制谁可以使用或创建令牌See Control who can use or create tokens.

你还可以使用 REST API 进行此更改。You can also use use the REST API to make this change. 若要为工作区启用或禁用令牌管理功能,请调用令牌 API 的工作区配置 (PATCH /workspace-conf)。To enable or disable the token management feature for a workspace, call the workspace configuration for tokens API (PATCH /workspace-conf). 在 JSON 请求正文中,将 enableTokensConfig 指定为 true(已启用)或 false(已禁用)。In a JSON request body, specify enableTokensConfig as true (enabled) or false (disabled).

例如,启用该功能:For example, to enable the feature:

curl -X PATCH -n \
  https://<databricks-instance>/api/2.0/workspace-conf \
  -d '{
    "enableTokensConfig": "true",
    }'

控制谁可以使用或创建令牌 Control who can use or create tokens

用户可以有下列令牌权限之一:A user can have one of the following token permissions:

  • 无权限No permissions

  • 可以使用 – 对于在 Azure Databricks 平台版本 3.28 发布之后(2020 年 9 月 9 日至 15 日)创建的工作区,默认设置是没有用户有“可以使用”权限。Can Use – For workspaces created after the release of Azure Databricks platform version 3.28 (Sept 9-15, 2020) the default is for no users to have the Can Use permission. 管理员必须显式授予这些权限,无论是向整个 users 组授予还是按用户或按组授予。Admins must explicitly grant those permissions, whether to the entire users group or on a user-by-user or group-by-group basis.

    重要

    在 3.28 发布之前创建的工作区会保留已有的权限。Workspaces created before 3.28 was released will maintain the permissions that were already in place. 默认情况下,所有用户都有“可以使用”权限。The default was for all users to have the Can Use permission. 管理员可以撤销该组权限,并将其授予其他组或单独的非管理员用户。Admins can revoke that group permission and grant it to other groups or to individual non-admin users. 请参阅删除权限See Remove permissions.

  • 可以管理admins 组中的用户默认具有此权限,你无法撤销它。Can Manage – Users in the admins group have this permission by default and you cannot revoke it. 不能向其他组授予此权限。No other groups can be granted this permission. API 强制实施这些规则。The API enforces these rules.

此表列出了每个与令牌相关的任务所需的权限:This table lists the permissions required for each token-related task:

任务Task 无权限No permission 可以使用Can Use 可管理Can Manage
创建令牌Create a token Yes Yes
使用令牌进行身份验证Use a token for authentication Yes Yes
撤销你自己的令牌Revoke your own token Yes Yes
撤销任何用户的令牌 **Revoke any user’s token ** Yes
列出所有令牌 **List all tokens ** Yes
修改令牌权限 **Modify token permissions ** Yes

标有 _* 的操作需要令牌管理 APIActions that are marked with _* require the Token Management API.

标有 **_ 的操作可以在管理控制台中执行,也可以通过权限 API 来执行。Actions that are marked with **_ can be performed in the Admin Console or with the Permissions API. 请参阅控制谁可以使用或创建令牌See Control who can use or create tokens.

使用管理控制台管理令牌权限 Manage token permissions using the Admin Console

若要使用管理控制台管理工作区的令牌权限,请执行以下操作:To manage token permissions for the workspace using the Admin Console:

  1. 转到管理控制台Go the Admin Console.

  2. 选择“访问控制”选项卡。Select the _ Access Control * tab.

  3. 如果禁用了基于令牌的身份验证,请单击 个人访问令牌 旁边的“启用”按钮。If token-based authentication is disabled, click the Enable button next to Personal Access Tokens. 单击“确认”以确认更改。Click Confirm to confirm the change. 此更改可能需要几秒钟的时间才能生效。This change may take a few seconds to take effect.

    令牌启用Token enablement

  4. 单击“权限设置”按钮以打开令牌权限编辑器。Click the Permissions Settings button to open the token permission editor.

    令牌权限编辑器Token permissions editor

  5. 添加或删除权限Add or remove permissions

    重要

    对于在 Azure Databricks 平台版本 3.28 发布之后(2020 年 9 月 9 日至 15 日)创建的工作区,默认设置是没有用户有“可以使用”权限。For workspaces created after the release of Azure Databricks platform version 3.28 (Sept 9-15, 2020) the default is for no users to have the Can Use permission. 管理员必须显式授予这些权限,无论是向整个 users 组授予还是按用户或按组授予。Admins must explicitly grant those permissions, whether to the entire users group or on a user-by-user or group-by-group basis. 在 3.28 发布之前创建的工作区保留已有的权限。Workspaces created before 3.28 was released maintain the permissions that were already in place. 默认情况下,所有用户都有“可以使用”权限。The default was for all users to have the Can Use permission. 管理员可以撤销该组权限分配,并将其授予其他组或单独的非管理员用户。Admins can revoke that group permission assignment and grant it to other groups or to individual non-admin users.

    如果 users 组有“可以使用”权限,并且你想要对非管理员用户应用更精细的访问权限,则可以通过单击“用户”行中“权限”下拉列表旁边的 X ,从“用户”组中删除“可以使用”权限。 If the users group has the Can Use permission and you want to apply more fine-grained access for non-admin users, remove the Can Use permissions from the users group by clicking the X next to the permission drop-down in the users row.

    若要向其他实体授予权限,请选择你要向其授予访问权限的每个用户或组。To grant the permission to other entities, select each user or group to whom you want to grant access. 从“选择用户或组…”下拉列表中选择一个用户或组,Select a user or group from the Select User or Group… 选择“可以使用”,然后单击“+ 添加”按钮。drop-down, select Can Use, and click the + Add button. 在以下示例中,管理员已删除“用户”组的访问权限,并向“数据科学 B2”组授予访问权限。In the following example, the admin has removed access for the users group and is granting access to the Data Science B2 group.

    令牌权限编辑器Token permissions editor

    管理员组具有“可以管理”权限,你无法更改这些权限,也无法将“可以管理”分配给管理员组以外的任何实体。The admins group has Can Manage permissions, which you cannot change, nor can you assign Can Manage to any entity other than the admins group.

  6. 以保存更改。Click Save to save your changes.

    警告

    保存更改后,以前具有“可以使用”或“可以管理”权限但现在不再具有任一权限的任何用户会被拒绝访问基于令牌的身份验证,并且其活动令牌会被立即删除(撤销)。After saving your changes, any users who previously had either Can Use or Can Manage permission but no longer have either permission are denied access to token-based authentication and their active tokens are immediately deleted (revoked). 无法检索已删除的令牌。Deleted tokens cannot be retrieved.

使用权限 API 管理令牌权限Manage token permissions using the Permissions API

获取工作区的所有令牌权限Get all token permissions for the workspace

若要为工作区的所有 Azure Databricks 用户、Azure Databricks 组和 Azure 服务主体获取令牌权限,请调用为工作区 API 获取所有令牌权限 (GET /permissions/authorization/tokens)。To get token permissions for all Azure Databricks users, Azure Databricks groups, and Azure service principals for the workspace, call the get all token permissions for the workspace API (GET /permissions/authorization/tokens).

响应包括一个 access_control_list 数组。The response includes an access_control_list array. 每个元素都是一个用户对象、组对象或服务主体对象。Each element is a user object, a group object, or a service principal object. 每个用户都有一个适用于该类型的标识字段:用户具有一个 user_name 字段,组具有一个 group_name 字段,服务主体具有一个 service_principal_name 字段。They each have an identity field appropriate to the type: users have a user_name field, groups have a group_name field, and service principals have a service_principal_name field. 所有元素都有一个 all_permissions 字段,该字段指定授予的权限级别(CAN_USECAN_MANAGE)。All elements have an all_permissions field that specifies what permission levels (CAN_USE or CAN_MANAGE) are granted.

例如:For example:

curl -n -X GET "https://<databricks-instance>/api/2.0/preview/permissions/authorization/tokens"

示例响应:Example response:

{
  "object_id": "authorization/tokens",
  "object_type": "tokens",
  "access_control_list": [
    {
      "user_name": "jsmith@example.com",
      "all_permissions": [
        {
          "permission_level": "CAN_USE",
          "inherited": false
        }
      ]
    }
  ]
}

设置令牌权限Set token permissions

若要设置令牌权限,请调用设置令牌权限 API (PATCH /permissions/authorization/tokens)。To set token permissions, call the set token permissions API (PATCH /permissions/authorization/tokens).

你可以在一个或多个用户、组或 Azure 服务主体上设置权限。You can set permissions on one or more user, groups, or Azure service principals. 对于每个用户,你需要知道电子邮件地址,这是在 user_name 请求属性中指定的。For each user, you need to know the email address, which is specified in the user_name request property. 对于每个组,请在 group_name 属性中指定组名称。For each group, specify the group name in the group_name property. 对于 Azure 服务主体,请在 service_principal_name 属性中指定服务主体名称。For an Azure service principal, specify the service principal name in the service_principal_name property.

未显式提及的实体(例如用户或组)不会直接受此请求影响,但是对组成员身份的更改可能会间接影响用户访问权限。Entities (such as users or groups) not mentioned explicitly are not directly affected by this request, although changes to group membership can indirectly affect user access.

仅可通过此 API 授予权限,无法通过它撤销权限。You can only grant, not revoke, permissions with this API.

例如,以下示例向用户 jsmith@example.com 和组 mygroup 授予访问权限。For example, the following example grants access to user jsmith@example.com and the group mygroup.

curl -n -X PATCH "https://<databricks-instance>/api/2.0/preview/permissions/authorization/tokens"
  -d '{
    "access_control_list": [
      {
        "user_name": "jsmith@example.com",
        "permission_level": "CAN_USE",
      },
      {
        "group_name": "mygroup",
        "permission_level": "CAN_USE",
      }
    ]
  }'

示例响应:Example response:

{
  "access_control_list": [
    {
      "user_name": "jsmith@example.com",
      "all_permissions": [
        {
          "permission_level": "CAN_USE",
          "inherited": false
        }
      ]
    },
    {
      "group_name": "mygroup",
      "all_permissions": [
        {
          "permission_level": "CAN_USE",
          "inherited": false
        }
      ]
    }
  ]
}

如果要在一个请求中为工作区中的所有实体设置令牌权限,请使用更新所有权限 API (PUT /permissions/authorization/tokens)。If you want to set token permissions for all entities in the workspace in one request, use the update all permissions API (PUT /permissions/authorization/tokens). 请参阅删除权限See Remove permissions

删除权限 Remove permissions

备注

对于在 Azure Databricks 平台版本 3.28 发布之后(2020 年 9 月 9 日至 15 日)创建的工作区,默认设置是没有用户有“可以使用”权限。For workspaces created after the release of Azure Databricks platform version 3.28 (Sept 9-15, 2020) the default is for no users to have the Can Use permission. 管理员必须显式授予这些权限,无论是向整个 users 组授予还是按用户或按组授予。Admins must explicitly grant those permissions, whether to the entire users group or on a user-by-user or group-by-group basis. 在 3.28 发布之前创建的工作区保留已有的权限。Workspaces created before 3.28 was released maintain the permissions that were already in place. 默认情况下,所有用户都有“可以使用”权限。The default was for all users to have the Can Use permission. 管理员可以撤销该组权限分配,并将其授予其他组或单独的非管理员用户。Admins can revoke that group permission assignment and grant it to other groups or to individual non-admin users.

若要删除所有或部分非管理员用户的权限,请使用更新所有权限 API (PUT /permissions/authorization/tokens),这要求你为被授予了整个工作区的权限的所有对象指定完整的权限集。To remove permissions from all or some non-admin users, use the update all permissions API (PUT /permissions/authorization/tokens), which requires that you specify the complete set of permissions for all objects that are granted permissions for the entire workspace.

如果要授予部分非管理员用户创建和使用令牌的权限,请执行下述所有三项操作:If you want to authorize a subset of non-admin users to create and use tokens, do all three of the following:

  • 向用户、组和 Azure 服务主体 授予 CAN_USE 权限。Grant the users, groups, and Azure service principals the CAN_USE permission.
  • 如果只想向某些非管理员用户授权,请 不要 向内置的 users 组授予 CAN_USE 权限。Do not grant the CAN_USE permission to the built-in users group if you want to only authorize some non-admin users. 你可以选择将权限分配给此组,在这种情况下,所有非管理员用户都可以创建和使用令牌。You can optionally choose to assign the permission to this group, in which case all non-admin users can create and use tokens.
  • 向内置的 admins授予 CAN_MANAGE 权限。Grant the built-in admins group the CAN_MANAGE permission. 这是 API 的要求。This is a requirement of the API.

警告

请求成功后,如果用户或 Azure 服务主体没有直接或间接通过组获得令牌权限,系统会立即删除其令牌。After a successful request, if a user or Azure service principal does not have token permissions directly or indirectly through a group, their tokens are immediately deleted. 无法检索已删除的令牌。Deleted tokens cannot be retrieved.

以下示例根据 API 的要求向 field-automation-group 组授予“可以使用”令牌权限,忽略 users(所有用户)组的权限,并将 CAN_MANAGE 权限授予 admins 组。The following example grants Can Use tokens permission to group field-automation-group, omits permissions for the users (all users) group, and grants CAN_MANAGE permission to the admins group as required by the API. 不在 field-support-engineers 组中的任何非管理员用户会失去创建令牌所需的访问权限,系统会立即删除(撤销)其现有令牌。Any non-admin users that are not in the group field-support-engineers will lose access to token creation and their existing tokens are immediately deleted (revoked).

curl -n -X PUT "https://<databricks-instance>/api/2.0/preview/permissions/authorization/tokens"
  -d '{
    "access_control_list": [
      {
        "group_name": "field-automation-group",
        "permission_level": "CAN_USE",
      },
      {
        "group_name": "admins",
        "permission_level": "CAN_MANAGE",
      },
    ]
  }'

设置新令牌的最长生存期(仅限 REST API) Set maximum lifetime of new tokens (REST API only)

使用令牌生存期管理 API 管理此工作区中的新令牌的最长生存期。Use the token lifetime management APIs to manage the maximum lifetime of new tokens in this workspace.

若要设置新令牌的最长生存期,请调用设置新令牌 API 的最长令牌生存期 (PATCH /workspace-conf)。To set the maximum lifetime for new tokens, call the Set the maximum token lifetime for new tokens API (PATCH /workspace-conf). maxTokenLifetimeDays 设置为新令牌的最长令牌生存期(以天为单位的整数)。Set maxTokenLifetimeDays to the maximum token lifetime of new tokens in days, as an integer. 如果将其设置为零,则允许新令牌无生存期限制。If you set it to zero, new tokens are permitted to have no lifetime limit.

例如:For example:

curl -n -X PATCH "https://<databricks-instance>/api/2.0/workspace-conf"
  -d '{
  "maxTokenLifetimeDays": "90"
  }'

警告

此限制仅适用于新令牌。This limit applies only to new tokens. 若要查看现有令牌,请参阅获取令牌 APITo review existing tokens, see the get tokens API.

若要获取工作区的新令牌的最长生存期,请调用获取新令牌 API 的最长令牌生存期 (GET /workspace-conf),并将 keys=maxTokenLifetimeDays 作为查询参数传递。To get the workspace’s maximum lifetime for new tokens, call the get the maximum token lifetime for new tokens API (GET /workspace-conf) and pass keys=maxTokenLifetimeDays as a query parameter. 响应包含一个 maxTokenLifetimeDays 属性,该属性是新令牌的最长令牌生存期(以天为单位的整数)。The response includes an maxTokenLifetimeDays property that is the maximum token lifetime of new tokens in days, as an integer. 如果它是零,则允许新令牌无生存期限制。If it is zero, new tokens are permitted to have no lifetime limit.

例如:For example:

curl -n -X GET "https://<databricks-instance>/api/2.0/workspace-conf?keys=maxTokenLifetimeDays"

示例响应:Example response:

{
    "maxTokenLifetimeDays": "90"
}

监视和撤销令牌(仅限 REST API) Monitor and revoke tokens (REST API only)

使用令牌管理 API 管理工作区中的现有令牌。Use the token management APIs to manage existing tokens in the workspace.

获取工作区的令牌 Get tokens for the workspace

若要获取工作区的令牌,请调用获取所有令牌 API (GET /token-management/tokens)。To get the workspace’s tokens, call the get all tokens API (GET /token-management/tokens). 响应包括一个 token_infos 数组。The response includes a token_infos array. 每个元素代表一个令牌,包含的字段有:ID (token_id)、创建时间 (creation_time)、到期时间 (expiry_time)、说明 (comment) 和创建它的用户(ID 为 created_by_id,用户名为 created_by_username)。Each element represents a token and includes fields for ID (token_id), creation time (creation_time), expiry time (expiry_time), description (comment), and the user that created it (the ID is created_by_id and the username is created_by_username). 你可以使用 SCIM 获取用户 API (GET /scim/v2/Users/{id}) 来了解有关用户的详细信息。You can learn more about the user using the SCIM get user API (GET /scim/v2/Users/{id}).

若要按用户筛选结果,请设置请求正文属性 created_by_id(适用于 ID)或 created_by_username(适用于用户名)。To filter results by a user, set the request body property created_by_id (for the ID) or created_by_username (for the username). 可以使用 SCIM 获取用户 API (GET /scim/v2/Users) 从显示名称获取用户 IDYou can get a user ID from a display name using the SCIM get users API (GET /scim/v2/Users)

例如:For example:

curl -n -X GET "https://<databricks-instance>/api/2.0/token-management/tokens"
  -d '{
  "created_by_id": "1234567890"
  }'

示例响应:Example response:

{
  "token_infos": [
    {
      "token_id": "<token-id>",
      "creation_time": 1580265020299,
      "expiry_time": 1580265020299,
      "comment": "This is for ABC division's automation scripts.",
      "created_by_id": 1234567890,
      "created_by_username": "jsmith@example.com"
    }
  ]
}

或者,使用获取令牌 API (GET /token-management/tokens/{token_id}) 获取特定令牌Alternatively, get a specific token using the get a token API (GET /token-management/tokens/{token_id})

删除(撤销)令牌Delete (revoke) a token

  1. 找到令牌 ID。Find the token ID. 请参阅获取工作区的令牌See Get tokens for the workspace.
  2. 调用删除令牌 API (DELETE /token-management/tokens)。Call the delete a token API (DELETE /token-management/tokens). 在路径中传递令牌 ID。Pass the token ID in the path.

例如:For example:

curl -n -X DELETE "https://<databricks-instance>/api/2.0/token-management/tokens/<token-id>"