API tokens are special JSON web tokens (JWTs) that Mythic can create per-user that don't expire automatically. This allows you to do long-term scripting capabilities without having to periodically check if your current access-token is expired, going through the refresh process, and then continuing along with whatever you were doing.
They're located in your settings page (click your name in the top right and click settings).
When you create an API token you get to choose between two things - User or C2. A User API token has all the same rights that you do and can access everything you can. A C2 API token is geared towards just C2 related components (more on this to come).
When making a request with an API token, set the
apitokenwith a value of your API token. This is in contrast to normal JWT usage where the header is
Authorizationand the value is
Bearer: <token here>.