feat: Add product docs page for Auth Tokens (#7834)

--------- Co-authored-by: Shana Matthews <shana.l.matthews@gmail.com>
getsentry · Sep 19, 2023 · aa2c1d3 · aa2c1d3 · vercel · Sep 19, 2023
1 parent f20bb75
commit aa2c1d3
Show file tree

Hide file tree

Showing 6 changed files with 84 additions and 0 deletions.
diff --git a/src/docs/product/accounts/auth-tokens/index.mdx b/src/docs/product/accounts/auth-tokens/index.mdx
@@ -0,0 +1,84 @@
+---
+title: "Auth Tokens"
+sidebar_order: 45
+description: "Learn about the different kinds of Auth Tokens Sentry provides, and when to use which."
+---
+
+Auth tokens (short for _authentication tokens_) are a way to authenticate with Sentry. They are similar to passwords but are designed for programmatic interaction with Sentry. Some examples of what you would use auth tokens for include:
+
+- Uploading Source Maps during your CI build
+- Using [Sentry CLI](/product/cli/) to interact with Sentry
+- Using the [Sentry API](/api/auth/)
+
+Each auth token is created with a certain set of permissions and scopes which are mapped to the Sentry API's [Permissions & Scopes](/api/permissions/). Some types of auth tokens have set permissions that can't be edited, while others can be customized upon token creation and edited later.
+
+We recommend using a separate auth token for each use case. For example, you would use a different auth token to upload source maps than the one you use with Sentry CLI. This has the benefit that if an auth token is compromised, you can revoke that auth token without impacting the rest of your workflow.
+
+## Types of Auth Tokens
+
+There are three key types of auth tokens in Sentry:
+
+- [Organization Auth Tokens](#organization-auth-tokens):
+  These tokens are bound to an organization, and have access to all projects within that organization. They have a limited set of permissions and are designed to be used in CI environments and with Sentry CLI.
+
+- [User Auth Tokens](#user-auth-tokens):
+  These tokens are bound to a user, and have access to all organizations and projects that user has access to.
+
+- [Internal Integrations](#internal-integrations):
+  These tokens are bound to an organization, and have access to all projects within that organization. They can be created with a custom set of permissions, and are designed to be used in cases where organization auth tokens don't have sufficient access rights.
+
+### When Should I Use Which?
+
+For most scenarios, we recommend using [Organization Auth Tokens](#organization-auth-tokens). They are designed to be used in CI environments and have a limited set of permissions. This means that if the place you stored the auth token is compromised, the attacker can only do limited damage.
+
+Organization auth tokens permissions aren't customizable. They are set to allow most CI-related tasks, without any unnecessary permissions.
+
+[User Auth Tokens](#user-auth-tokens) should be used to interact with the Sentry API on behalf of a user. For example, to fetch all issues for a user, you would use a User auth token. We don't recommend using User auth tokens for CI tasks because if the user who created the token is removed from the Organization, the token will stop working.
+
+User auth token permissions are customizable and editable.
+
+[Internal Integrations](#internal-integrations) should be used when you need full API access (which the organization auth tokens cannot grant), and you want to interact with the Sentry API on behalf of an organization. For example, to programmatically create a new project, you would use an internal integration.
+
+Permissions for auth tokens created as part of an internal integration are customizable and editable.
+
+### Organization Auth Tokens
+
+[Organization auth tokens](https://sentry.io/orgredirect/organizations/:orgslug/settings/auth-tokens/) can be created in [sentry.io](https://sentry.io) on the **Auth Tokens** page under **Settings > Developer Settings > Auth Tokens**.
+
+![](org-auth-tokens-overview.png)
+
+They can also be generated on certain pages of Sentry's docs if you're signed in, and by using the Sentry Wizard to configure uploading source maps.
+
+Organization auth token names are generated for you unless you create the token through the Sentry UI. This name is only used for display purposes - it helps to identify an auth token in case you want to revoke it later. You can change the name for an organization auth token at [sentry.io](https://sentry.io) on the **Edit Auth Token** page under **Settings > Developer Settings > Auth Tokens**.
+
+For security reasons, organization auth tokens are only visible _once_, right after you create them. If you lose the auth token, you will have to create a new one. This means you can't see the full token on the overview page or on the token detail page, you can only see the last characters of the token to help identify it.
+
+Any user can create organization auth tokens for any of their organizations. This allows any user (not only organization owners) to configure a Sentry SDK and set up CI processes by creating and using organization auth tokens. Since organization auth tokens have limited access, there is limited potential for abuse.
+
+![](org-auth-token-create.png)
+
+All owners of the organization will receive a security email when a new organization auth token is created and can revoke these tokens at any point. _Only_ organization owners & managers can revoke organization auth tokens .
+
+### User Auth Tokens
+
+[User auth tokens](https://sentry.io/settings/account/api/auth-tokens/) can be created in [sentry.io](https://sentry.io) on the **User Auth Tokens** page under the Account dropdown in the top left.
+
+![](user-auth-tokens-menu.png)
+
+User auth tokens can be created by any user, and are bound to that user. The tokens can be given permissions to all organizations and projects that user has access to. This means a user auth token's _maximum_ scope is all the scopes that the user has access to for a given organization. A user auth token cannot exceed the permissions of the user who created it. See [Organization and User Management](/product/accounts/membership/) for more details on how permissions work in Sentry.
+
+When you create a new user auth token, you can select which [scopes](/api/permissions/) the token should have in the UI:
+
+![](user-auth-token-create.png)
+
+Currently, you can view user auth tokens in the UI after creating them. This is a legacy behavior that may change in the future. We recommend only using each user auth token once, and creating a new token for each use case. Any user can always revoke any of their user auth tokens.
+
+![](user-auth-tokens-overview.png)
+
+We recommend only using a user auth token to interact with the Sentry API on behalf of a user. See Sentry's API [Authentication](/api/auth/) docs for more information on how to do this.
+
+### Internal Integrations
+
+We recommend only using an internal integration when you want to interact with the Sentry API on behalf of an organization. See Sentry's API [Authentication](/api/auth/) docs for more information on how to do this.
+
+See our docs on [Internal Integrations](/product/integrations/integration-platform/) to learn more.
diff --git a/src/docs/product/accounts/auth-tokens/org-auth-token-create.png b/src/docs/product/accounts/auth-tokens/org-auth-token-create.png
diff --git a/src/docs/product/accounts/auth-tokens/org-auth-tokens-overview.png b/src/docs/product/accounts/auth-tokens/org-auth-tokens-overview.png
diff --git a/src/docs/product/accounts/auth-tokens/user-auth-token-create.png b/src/docs/product/accounts/auth-tokens/user-auth-token-create.png
diff --git a/src/docs/product/accounts/auth-tokens/user-auth-tokens-menu.png b/src/docs/product/accounts/auth-tokens/user-auth-tokens-menu.png
diff --git a/src/docs/product/accounts/auth-tokens/user-auth-tokens-overview.png b/src/docs/product/accounts/auth-tokens/user-auth-tokens-overview.png