If you've ever built an integration or background job that connects to ERP.net APIs, you know the challenge isn't just about sending requests - it's the whole process of getting authorized.
Setting up a trusted application, coordinating with the ERP.net Identity Server, managing scopes, and handling tokens can be overkill when all you need is a simple, secure way for a script or service to connect.
Good news: you can now use Reference Access Tokens (PATs and SATs) - long-lived, manually issued tokens designed specifically for automation, integration, and developer workflows.
Let's break it down.
What are Reference Access Tokens?
A reference access token is basically a secure, long-lived API key.
It starts with enrt_ and represents an already authorized identity that can securely call ERP.net APIs.
Example:
enrt_1D41D4694B4F02D3D6A31FFA07E20B73F48248B26C75A0CCCB5F9DBEE41F7960Unlike short-lived OAuth tokens, reference tokens are created manually and can be revoked instantly by their creator or by an instance administrator.
They're stored securely in the ERP.net Identity Server and are perfect for anything that needs persistent access using a preauthorized identity.
There are two kinds: PATs (Personal/User Access Tokens) and SATs (Service/Application Access Tokens).
PATs vs SATs: What's the difference?
| Token | Represents | Created By | Best For |
| PAT (Personal Access Token) | A specific user | Any authenticated user (if allowed) | Scripts, user-level automations, testing |
| SAT (Service Access Token) | A system user (application identity) | Admins only | Background services, middleware, integrations |
Think of PATs as your personal keys and SATs as keys for an application or service account.
How to issue a Personal Access Token (PAT)
If you want to create a PAT for your own automations, go to:
Profile Site -> Security -> TokensThere, you can:
See all your existing tokens
Review scopes, expiration, and last-used time
Revoke tokens instantly
To create a new one:
Click Create user access token
Choose a Trusted Application (only apps that allow token creation will appear)
Set an expiration date and select the scopes you need
Click Generate token
Copy it immediately - you won't see it again!
How to issue a Service Access Token (SAT)
SATs are issued by admins from:
Instance Manager Site -> Security -> Trusted Apps -> [Your App]Only admins can create SATs, and only for trusted apps that explicitly allow it.
To create one:
Click Create application token
Add a description, expiration date, and scopes
Generate the token and copy it right away
SATs always run as the system user of that app - not the admin who created it - which makes them perfect for stable, unattended integrations.
Security best practices
A few quick reminders:
Store tokens in secure vaults or encrypted configs
Never store tokens in source control or share them through chat, email
Keep expiration times short and rotate tokens often
Revoke tokens immediately if they're no longer needed
Use SATs for services, PATs for users
You can also review creation dates, scopes, and last-used timestamps for easy auditing.
When to use which
👤 PATs: for developer tools, connectors, and scripts that act on behalf of a user
⚙️SATs: for background jobs, sync services, or anything that runs unattended
--
Get started
Ready to put reference tokens to work? Start here:
-
Issuing Reference Tokens
Step-by-step guide on creating and managing Personal and Service Access Tokens, including permissions, expiration, and security best practices. -
Reference Access Tokens
Deep dive into how reference tokens work - their lifecycle, usage, security model. -
Trusted Applications and Access Control
Learn how trusted apps are registered, identified, and granted permissions within an instance - the foundation for secure integrations.
4 Comments