Skip to main content
To use Membrane, you need a Membrane Token. This page explains the different types of tokens and how to get them.

Membrane Token

The main way to authenticate. Sign a JWT with your workspace key and secret. You can find your workspace key and secret on the Access page in Console Settings.

Token fields

FieldRequiredDescription
workspaceKeyYesYour workspace key
tenantKeyNoIdentifier of the tenant (user, team, or org). Omit for workspace-level operations.
nameNoHuman-readable tenant name (helps with troubleshooting)
fieldsNoAdditional metadata to store about the tenant

Public/Private Key Signing

For stronger security, you can sign tokens with a public/private key pair instead of a shared secret. Pass the private key to the sign method and provide the public key in the workspace settings. Use any asymmetric algorithm: ES256, RS256, PS256, etc.

Test Token

For quick testing, get a pre-generated test token from the Access page in Console Settings.

Long-lived Tokens

For tokens that don’t expire, create a Long-lived Token on the Access page in Console Settings under the Client Tokens section.

Workspace Management Token

For administrative operations that affect the entire workspace — managing tenants, updating workspace settings, importing/exporting configuration, and other operations that aren’t scoped to a single tenant. Include isAdmin: true in the token payload and omit tenantKey:

Developer Token

Acts on behalf of your Membrane account — can do anything you can across all your workspaces. Get one from API Tokens in Console Settings.

Membrane Instance Token

For self-hosted Membrane instances. See Self-hosting for details.