Token management lives under Configuration → API Access → Third-Party Tokens. If you don’t see API Access under Configuration, your account’s role lacks the API Access permission — ask a Super Admin to grant it or to create the token for you.
Creating a Third-Party Token
Navigate to Third-Party Tokens
In your VSA X portal, go to Configuration → API Access → Third-Party Tokens, then click Create Token in the upper-right corner.
Configure the token details
On the Details tab, give the token a recognizable name (e.g. 
Neo Agent) and an optional description. You can optionally set start/expiration dates and restrict the token to specific IP addresses.Set the token authorization (scopes)
On the Authorization tab, scope the token to the organizations Neo should manage and grant the API endpoint permissions. For a standard Neo integration, grant read access to Devices, Device Assets, Organizations / Sites / Groups, and Automation, plus any areas you want Neo to write to (e.g. Notifications).
Recommended Permissions
| Area | Access | Purpose |
|---|---|---|
| Devices | Read | Device sync, status, custom fields, applied policies |
| Device Assets | Read | Hardware + installed-software inventory |
| Organizations / Sites / Groups | Read | Tenant hierarchy + PSA company mapping |
| Automation | Read | Browse the script / task / workflow catalog |
| Notifications | Read/Write | Only if you want Neo to create notifications or manage webhooks |
A revoked token has a 30-day grace period during which you can regenerate its secret before it’s permanently deleted.