Krokanti Notes
Help Center
security

Revoking API Tokens

How to manage, rotate, and revoke personal API tokens used for the Krokanti Notes REST API and MCP integration.

3 min read·Krokanti Notes Help

Personal API tokens let you access Krokanti Notes from external tools — scripts, automations, AI assistants (via MCP), and integrations. If a token is compromised or no longer needed, you should revoke it immediately.

What Are API Tokens?

API tokens are long-lived credentials in the format kn_ followed by 40 hex characters (e.g., kn_a3f8b2c1...). They are an alternative to session cookies for programmatic access to the Krokanti Notes API.

Tokens are stored as SHA-256 hashes — the raw token is shown only once when created and never stored in plaintext. If you lose a token, you cannot recover it — create a new one.

Viewing Your Tokens

  1. Go to Settings → Connections
  2. Under Personal API Tokens, you'll see a list of all active tokens with their names, creation dates, and last-used timestamps

Revoking a Token

  1. Go to Settings → Connections
  2. Find the token you want to revoke
  3. Click Revoke next to it
  4. Confirm the action

The token is immediately deactivated — any request using it will receive a 401 Unauthorized response.

Revoking a token is immediate and irreversible. If you're using the token in an automation or integration, it will stop working instantly. Update the integration with a new token before revoking the old one if downtime is a concern.

When to Revoke

Revoke a token when:

  • You no longer use the tool or integration it was created for
  • You suspect the token was accidentally exposed (e.g., committed to a public repo, shown in a log)
  • You're rotating credentials as part of a security audit
  • You lose a device where the token was stored

Token Rotation (Best Practice)

For security, rotate your tokens periodically:

  1. Create a new token in Settings → Connections
  2. Update your integration/tool to use the new token
  3. Verify the integration works with the new token
  4. Revoke the old token

This way, there's no downtime during the rotation.

Creating a New Token

  1. Go to Settings → Connections
  2. Click New token
  3. Enter a descriptive name (e.g., "Claude Code MCP", "Home Server Script")
  4. Click Create — the token value is shown once. Copy it immediately.

Name your tokens descriptively so you know what each one is used for. "Token 1" is less useful than "Claude Desktop MCP" or "Zapier Automation".

Security Properties

  • Tokens are stored as SHA-256 hashes — a database breach doesn't expose raw tokens
  • Tokens have a rate limit of 100 requests per minute
  • Token-based requests cannot create or revoke other tokens (session-only operation)
  • All token operations are recorded in the audit log (Settings → Security → Audit log)

Start taking better notes today

Free forever. No credit card required. Works on any device.

Create your free account →

Related articles

Backup Codes for Two-Factor Authentication

What backup codes are, how to use them, and how to regenerate them if you run out or they're compromised.

How AES-256 Encryption Works in Krokanti Notes

Technical explanation of the client-side encryption model used for secure notes — PBKDF2 key derivation and AES-256-GCM.

Was this article helpful?

Can't find what you're looking for? Contact support