How to generate API token on behalf of a user in Jenkins

Last Updated:

If you are utilizing a Jenkins user in any of your scripts or webhooks, it may be necessary to generate or regenerate an API token for the service user.

A viable method is to log into Jenkins using the relevant user credentials and subsequently generate a token. However, this may not be feasible for all service users, especially if passwords are not utilized or are not remembered.

If you want to create a token for a logged user, see How to generate Jenkins API tokens.

Alternatively, you can generate an API token for a user if you possess administrative privileges in Jenkins.

You are an administrator if, post-login, you observe the “Manage Jenkins” option on the left-hand navigation menu.

Another method to verify administrative access is to input https://[your-jenkins-server]/manage in your browser and ascertain whether access is granted.

Follow these steps to Generate an API token on behalf of any user.

Step 1: Navigate to the Jenkins Script Console

Jenkins Script Console is where you can execute Groovy scripts and perform operations that are otherwise are not possible from the user interface.

Log in to your Jenkins dashboard and navigate to “Manage Jenkins”. Scroll down and you will see the “Script Console” option under Tools And Actions.

An easier way to navigate to the Script Console is by entering https://your-jenkins-server/script the browser. The /script will take you directly to the Script Console.

Step 2: Use the following Groovy script

The following Groovy script helps you to generate an API token on behalf of a user. You need to supply the “userName” and “tokenName” variables:

import hudson.model.*
import jenkins.model.*

// Please change the following details:
def userName = "jenkins_user" //Jenkins user that you want to generate the API token on behalf of
def tokenName = "Test Token" // A name for the token

// Retrieving the user, returns null if the user does not exist
def user = User.get(userName, false)

// Check if a user was found
if (user == null) {
    throw new IllegalArgumentException("User: ${userName} does not exist")

// Retrieving the API token property of the user
def apiTokenProperty = user.getProperty(ApiTokenProperty.class)

// Check if API token property is available
if (apiTokenProperty == null) {
    throw new IllegalStateException("User: ${userName} does not have API token property")

// Generating a new API token with the specified token name
def result = apiTokenProperty.tokenStore.generateNewToken(tokenName)

// Saving the user object after generating the new token

// Returning the plain value of the newly generated API token
return result.plainValue

Step 3: Execute the script

After you provided the values for “userName” and “tokenName” in that script, click the “Run” button. This will execute the script and return the API Token that is created for the specified user.

If you go to the user profile, you will see the API token is present.

Step 3: Securely store the API token

Copy the API token generated on the Script Console and store it somewhere safe like a password manager. Once the API token is created, it’s not possible to see its content afterward.


We might sometimes need to create a Jenkins API token on behalf of a user, usually a service user, and while this is not directly possible from Jenkins UI, as an admin you can create the API token for any user using the Groovy script provided in this guide.