Summary
API Access Tokens can only be created at the personal user level (Account → Settings → Access). There is no option to create an org-level API token for authenticating REST API v2 calls.
Org-level tokens exist today but only support uploads, they cannot be used for API authentication.
Use Case
Some customers need org-level API tokens for CI/CD workflows that call the REST API (e.g., GET /api/v2/.../commits/{commitid}/uploads). Personal tokens are problematic in this context because:
- They're tied to individual employees — if the user leaves or is deactivated, CI/CD breaks
- They're not auditable at the org level
- They create a single point of failure on one person's account
Customer Context
Raised by a customer running CI/CD integrations against the Codecov API. They initially couldn't locate API tokens at all (resolved — they were checking org settings instead of personal settings), but the follow-up concern is that a personal token isn't appropriate for org-wide CI/CD use.
Summary
API Access Tokens can only be created at the personal user level (Account → Settings → Access). There is no option to create an org-level API token for authenticating REST API v2 calls.
Org-level tokens exist today but only support uploads, they cannot be used for API authentication.
Use Case
Some customers need org-level API tokens for CI/CD workflows that call the REST API (e.g., GET /api/v2/.../commits/{commitid}/uploads). Personal tokens are problematic in this context because:
Customer Context
Raised by a customer running CI/CD integrations against the Codecov API. They initially couldn't locate API tokens at all (resolved — they were checking org settings instead of personal settings), but the follow-up concern is that a personal token isn't appropriate for org-wide CI/CD use.