Docs › profile-and-settings

API Tokens

Creating and managing tokens for the CueProX REST API.

API Tokens

API tokens let external tools and integrations control CueProX over HTTP — starting sessions, advancing cues, pushing alerts, managing Q&A, and more. Any tool that can make HTTP requests can authenticate with a token you generate from your account settings.

Note

API token management is only available to the account owner.

What API tokens are for

The CueProX REST API lets you automate or extend what you do in the director view. Common uses:

Button controllers — a Stream Deck or Companion device that advances cues or pushes alerts with a physical button press
Automation — scripts that start sessions, push alerts on a schedule, or close Q&A at a specific time
Integrations — third-party production software that reads room state or drives cue advancement

Every API request must include a valid token. Without one, the request is rejected.

Creating a token

Go to /dashboard/settings and open the API Tokens tab.

Click Create token. Enter a name that identifies what the token is for — "Companion tablet", "Stream Deck", "Automation server". A clear name makes it easy to know which token to revoke if a device is lost or decommissioned.

The one-time reveal

After you confirm, a modal displays the complete token. Tokens always start with cprx_.

This is the only time the token value is shown. CueProX stores only a hash and cannot retrieve the plain text later. Copy it immediately and save it somewhere secure — a password manager, a secrets manager, or the device configuration that will use it.

Once you close the modal, the token list shows only the first 12 characters (the prefix, e.g. cprx_abc12345) — enough to identify which token is which, but not usable for API requests.

Warning

If you close the reveal modal before copying the token, you cannot recover it. Revoke the token and create a new one.

Revoking a token

In the API Tokens tab, find the token you want to disable and click Revoke. Revocation is immediate — any tool using that token is rejected on its next request.

Revoked tokens appear in a collapsed list below the active tokens. Revocation is permanent; a revoked token cannot be re-enabled.

Token security

Tokens are long-lived by default — they don't expire unless you revoke them. That makes security practices important:

Store tokens in environment variables or a secrets manager, not in source code or config files checked into version control
Don't share tokens in Slack, email, or chat — if a token needs to reach another person, use a secure transfer method
Tokens can be scoped to specific rooms or to your entire account — choose room-scoped tokens for production setups where you want to limit blast radius
Every request made with a token is logged with the endpoint, method, status code, and source IP

Connecting Companion

CueProX integrates with Bitfocus Companion for button-box control of cue advancement, session management, and alert pushing. Set up the Companion integration using the HTTP request actions and your token. See the Companion integration guide for full setup instructions.

Was this helpful?

PreviousTwo-factor authentication

Next Pre-show checklist

Edit this page on GitHub