Introducing Personal Access Credentials (PACs) and Removing Site Credentials

Earlier this year, the Daml Hub team introduced Personal Access Credentials (PACs), which are long-lived, stable credentials that you can configure with human-readable names, set expiration dates, and specific permissions. From these PACs you can in turn generate short-lived access tokens which are used when making API requests to Daml Hub. Documentation for PACs can be found here.

Screenshot 2023-08-04 at 1.52.17 PM

As a result of the introduction of PACs, site credentials were deprecated, and they will be completely removed on Wednesday, September 27, 2023. If you currently use site credentials, please upgrade to using PACs.

Upgrading from user account tokens to personal access credentials (PACs) is a straightforward process that can be managed in just a few steps, but there are some details to note:

  1. Create a new PAC and set the desired lifetime. The PAC can be valid for up to one year. 

    Important: Be sure to save the secret associated with the PAC before you leave the Personal Access Credentials tab. Once you leave the tab, the secret becomes permanently unavailable.

  2. Update your API calls. The API call to make use of site-credentials (i.e., to obtain a token) is curl -XPOST -H 'Authorization: Basic <site-cred>' . PACs use curl -XPOST -H 'Authorization: Basic <pac>'. The new call is displayed for customers to copy when the PAC is created.

  3. If you’re currently using site credentials to obtain tokens for the CLI, you can now use the command damlhub auth login pac <pac> . This allows the CLI to obtain and refresh tokens for itself without additional human input until the PAC is expired or revoked.

  4. Once you have confirmed that steps 1 through 3 are successful, delete the old site credential. Be aware that this will also revoke all active Access Tokens created from the site-credential just deleted.