There are two types of tokens in Lokalise.
SDK tokens
SDK tokens are used with iOS, Android, and Flutter SDKs to implement over-the-air flow. These tokens are tied to the project and can be generated under Project settings > General.
API tokens
API tokens are used with the Lokalise API. A token is like your password that you utilize to access the Lokalise platform. A token is sent with every API request to authenticate the sender: this way Lokalise can check what access rights the sender has. If the token is incorrect or missing then the API request will fail. Having said that, the token must not be publicly accessible (for example, you must not share it on GitHub) because if some malicious user obtains your token s/he can perform any operations under your name. This is especially important if you (and, consequently, your token) has team owner access rights — in this case it is possible to manage any project within the team using that token. If you’d like to add some extra level of protection, you can create a separate user with limited access rights and generate an API token under his/her name. Each developer and each separate service in testing and production should use their own API tokens.
To create an API token, first proceed to the API token menu. To do this, click on your avatar in the bottom left corner and then proceed to Profile settings > API tokens.
From there you can see all created tokens, and as well make a new one. To create a new API token, click on Generate new token > Select token type > click Ok. Tokens can have one of the following types: read/write (you can read and perform modifications using this token) and read-only (you can only read the data without modifying it).
After doing so, the user will see a newly added token in their list:
Please note that the token has the same access rights as the user who generated it. For example, if John is the team owner and he generates a read/write token, then this token can be used to manage any project within the team. If Ann has admin access rights to a single project only, then her token can be used to manage only that exact project.
Finally, the API tokens do not have expiration dates. You can revoke them manually by opening Profile > API tokens and then clicking Delete token.
Lokalise API also supports OAuth 2. Please find more information in the corresponding article.