Cannot create Personal Access Token with second account



we are currently using two management accounts, one with full access (role:admin) and one with less access (role:maintainer).

The maintainer role has following rights/claims set:
account:read, user:write, user:read, trialPolicy:write, trialPolicy:read, trialActivation:write, trialActivation:read, tag:write, tag:read, role:read, release:write, release:read, product:write, product:read, personalAccessToken:write, licensePolicy:write, licensePolicy:read, license:write, license:read, invoice:read, eventLog:read, analytics:read, activation:read, account:write, webhook:read, webhook:write

With the maintainer account I’m not able to generate a personal access token, it always fails with “scope ‘xxx’ is not allowed”, where xxx stands for the first ticked scope in the list.

Is it possible that only admin accounts are allowed to create tokens?



Hi Daniel,

A user cannot create a personal access token containing the permission which it, itself doesn’t have. It’s access token permissions should always be a subset of it’s role permissions.


Hi Adnan,

tried this also and it doesn’t work either. I selected just one of the permissions that the account has and I still can’t create the token.


Hi Daniel,

It was a bug. It has been fixed now.


Thank you very much, now everything works as expected :slight_smile: