API Access
API Access lets an administrator create read-only public API tokens for external systems that need KartuStok data.
Use API Access when another trusted system needs to read KartuStok company metadata, items, warehouses, categories, or stock report data.
Menu Location and Access
Open Manage -> Integrations -> API Access.
| Action | Permission |
|---|---|
| View API tokens | apiAccessView |
| Generate token | apiAccessCreate |
| Revoke token | apiAccessRevoke |
Token List
The list shows:
| Column | Meaning |
|---|---|
| Name | Token label for the integration. |
| Prefix | First part of the token, used to identify it later. |
| Scopes | Data scopes granted to the token. |
| Status | Active or inactive. |
| Last Used | Last time the token was used, if available. |
| Expires | Expiry date, if configured. |
| Revoke | Action to deactivate an active token. |
Create API Access
| Field | Meaning |
|---|---|
| Name | Integration name, required. |
| Expires At | Optional expiry date. If left blank, the token has no configured expiry date. |
| Scopes | At least one scope must be selected. Available scopes include company metadata, items, warehouses, item categories, and stock reports. |
| Allowed IPs | Optional IP allowlist. Values can be entered on separate lines or separated by commas. |
After selecting Generate Token, KartuStok shows the full token once in a Copy Token Now card. Store it securely. Later the list only shows the token prefix, not the full token.
Important: The full token is shown only once. If it is not copied and stored immediately, create a new token.
Example Endpoint Display
The page shows an example public API base URL using the active browser origin and an example /public/v1/items request with a bearer token header.
Operational Example: Reporting Integration
| Step | Action | Why |
|---|---|---|
| 1 | Create a token named after the integration, for example BI Dashboard. | Tokens are easier to audit later. |
| 2 | Select only read scopes needed by that integration. | Limits exposed data. |
| 3 | Set Expires At if the integration is temporary. | Avoids forgotten long-lived access. |
| 4 | Fill Allowed IPs if the integration has stable server IPs. | Reduces token misuse risk. |
| 5 | Copy the token immediately. | The full token is shown only once. |
Create a separate token for each integration. Do not share one token across unrelated systems.
Common Problems
| Problem | Fix |
|---|---|
| Token disappeared after creation | This is expected; full token is shown only once. Create a new token if it was not stored. |
| External system gets unauthorized response | Check token value, active status, expiry date, and scopes. |
| Token should no longer work | Use Revoke on the token list. |
Security Practice
- Create one token per integration.
- Give each token only the scopes it needs.
- Use Allowed IPs when the integration runs from stable server addresses.
- Revoke tokens that are no longer used.
- Store the full token in the external system immediately because it is shown only once.
Technical endpoint details are maintained separately from this user guide.