Skip to main content

Documentation Index

Fetch the complete documentation index at: https://gcore.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

Every Gcore API request requires a permanent API token. The token goes in the Authorization header and works across all products — Cloud, CDN, DNS, Storage, and others.

Step 1. Create a token

  1. Open the Gcore Customer Portal and sign in.
  2. Click the account icon in the top-right corner and go to Profile.
  3. Select the API tokens tab.
  4. Click Create token.
  5. Give the token a name, choose a role (use Administrators for full access), and set an expiration date if needed.
  6. Click Create. A dialog shows the token value — copy it before closing. It will not be shown again.
The token value is shown only once — store it somewhere secure (a password manager or secrets vault) before closing the dialog.

Step 2. Set the token as an environment variable

Store the token in an environment variable so it can be used in every command without re-typing or hardcoding it in scripts. Open a terminal and run: 
export GCORE_API_KEY="29841\$c767..."
Replace 29841\$c767... with the actual token value copied in Step 1.
Gcore tokens contain a $ character. In bash, $ inside a double-quoted string triggers variable expansion and silently truncates the token. Escape the dollar sign with a backslash (\$) when setting the variable:
# Wrong — token gets truncated at the $ character
export GCORE_API_KEY="29841$c767b250..."

# Correct
export GCORE_API_KEY="29841\$c767b250..."
After setting the variable, $GCORE_API_KEY in commands refers to the full token — no escaping needed from that point on.
Environment variables are session-scoped — they disappear when the terminal is closed, so to persist across sessions, add the export line to ~/.zshrc (macOS/Linux) or the PowerShell profile file (Windows).Not sure what these concepts mean? API basics covers terminals and environment variables from scratch.

Step 3. Verify the token

Confirm the token is valid and see which account it belongs to: 
curl "https://api.gcore.com/iam/clients/me" \
  -H "Authorization: APIKey $GCORE_API_KEY"
A successful response looks like: 
{
  "id": 7350925,
  "email": "user@example.com",
  "status": "active",
  "currentUser": 1023101
}
If the response shows "status": "active" and contains an email address, the token is working.

Common authentication errors

If the command returns an error instead, the table below shows the most common causes:
Error messageCauseFix
Authentication credentials were not provided.No Authorization header sentCheck that -H "Authorization: APIKey $GCORE_API_KEY" is present
Bad permanent token: 29841Token was truncated at the $ characterEscape the $ when setting the variable: 29841\$c767...
Token is invalid or expiredToken was deleted or has passed its expiry dateCreate a new token in the portal
Given token not valid for any token typeUsing Bearer instead of APIKeyThe scheme must be APIKey, not Bearer
The Authorization header name is case-insensitive — Authorization, authorization, and AUTHORIZATION all work — while the APIKey prefix is not optional.

Token roles

When creating a token, a role is assigned that controls what the token can do:
RoleAccess level
AdministratorsFull read and write access to all resources
EngineersTechnical operations; no billing or user management
UsersRead access to most resources; limited write access
A token cannot have a higher role than the user who created it. For automation that creates and deletes infrastructure, Administrators is typically required.

Token expiration and limits

  • Maximum 50 tokens per account.
  • Tokens expiring within 7 days trigger email notifications at 7 days and 1 day before expiry.
  • To rotate a token, create a new one first, update all integrations, then delete the old one.

SSO accounts

When signing in via SAML SSO, the identity provider controls portal access but permanent API tokens operate independently, so revoking a user’s SSO access does not invalidate their tokens. To block API access for an SSO user, delete their tokens manually in the API tokens section.