Should one token be shared by all teams?

No. Use scoped tokens per environment or role to reduce blast radius and improve incident triage.

Access Governance Guide

Workspace ID and Token Setup Runbook

Q: Which identifiers should be tracked for automation audit?

At minimum track workspace_id, user_id, profile_id, token version, and trace_id for each execution.

Q: How often should token policy be reviewed?

Review quarterly, and immediately after incidents, team changes, or infrastructure migration events.

This runbook turns ad-hoc credential setup into a controlled access workflow for teams running profile automation at scale.

Updated: 2026-04-05 | Input references: account and API setup patterns found across getting-started and automation repositories.

Core Contract

Identifiers You Must Track

Field	Purpose	Storage rule
workspace_id	Scope jobs to the correct team workspace	Config store, read-only in runtime logs
user_id	Trace execution ownership	Audit logs only, no public output
token_version	Track credential rotation events	Secrets metadata, never plain logs
profile_id	Bind task lifecycle and cleanup events	Job logs and evidence packs
trace_id	Correlate stages and incident reports	Required on every batch and job

Setup Flow

Access Provisioning Sequence

Step 1: Confirm account role and workspace assignment for each operator.

Step 2: Capture workspace_id and user_id from controlled interface or verified API response.

Step 3: Issue scoped token per environment and register token_version.

Step 4: Validate access with a non-destructive API call and log trace_id.

Step 5: Move credentials into secrets manager and revoke temporary copies.

Environment Variable Baseline

MLX_BASE_URL=http://127.0.0.1:35000
MLX_WORKSPACE_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
MLX_TOKEN=***
MLX_TOKEN_VERSION=v3
MLX_REQUEST_TIMEOUT_SEC=45

Expose only what runtime needs. Hide tokens from debug output and UI overlays.

Security Guardrails

Separate staging and production credentials.
Rotate tokens after team access changes.
Disable old token versions immediately after cutover.
Log access events with immutable timestamps.

Audit Record Skeleton

{
  "trace_id": "access-2026-04-05-009",
  "workspace_id": "948bab9a-2cad-4a3f-af1f-01bfe260f85b",
  "user_id": "19047492-ea90-4138-9afc-d2df61de2b06",
  "token_version": "v3",
  "event": "access_validation",
  "status": "pass",
  "timestamp": "2026-04-05T18:30:00Z"
}

A simple, consistent audit record saves hours during incident response.

Common Mistakes

Access Setup Failures That Cause Production Pain

Token reuse everywhere

One leaked key can break every environment at once.

No token version tracking

Teams cannot know which jobs used stale credentials.

Missing workspace ownership checks

Jobs run under the wrong workspace and produce invalid evidence.

Commercial Routing

After Access Governance Is Stable

Once access controls are stable, route users to comparison and promo pages with confidence. This improves trust and reduces low-fit traffic.

Open alternatives comparison Open promo verification hub Open script runner playbook

FAQ

Access Setup Questions

Which identifiers are mandatory for audit?

Track workspace_id, user_id, profile_id, token_version, and trace_id for each automation run.

Should one token be shared across teams?

No, use scoped tokens per role or environment to reduce incident impact.

How often should token policy be reviewed?

Quarterly at minimum, and immediately after incidents or team changes.