If you’re automating backups, writing scripts, or integrating Proxmox Backup Server (PBS) with other systems, API tokens are the correct way to authenticate — not passwords.
This guide shows exactly how to create an API token in PBS, why you should use one, and how to use it safely with proxmox-backup-client.
Simple, secure, and production-ready.
Why Use API Tokens in Proxmox Backup Server?
Using a user password in scripts is risky:
- ❌ Passwords expire or get rotated
- ❌ Full user access is overkill
- ❌ Scripts break silently
- ❌ Higher blast radius if leaked
API tokens solve this:
- ✅ Scoped permissions
- ✅ Revocable without touching the user
- ✅ Perfect for automation
- ✅ Designed for non-interactive use
If you’re running backups from Proxmox VE, cron jobs, or custom scripts — tokens are mandatory best practice.
Prerequisites
Before creating a token, make sure you have:
- A working Proxmox Backup Server
- Admin or permission to manage users
- A user account (local or PAM)
Example user:
pve@pbs
Step 1: Log In to the PBS Web Interface
- Open your browser and go to your PBS web UI:
https://<pbs-ip>:8007
- Log in with an admin-capable user
Step 2: Create an API Token
- Navigate to:
Configuration→ Access Control→ API Tokens
- Click Add
- Fill in the fields:
- User:
pve@pbs - Token ID:
zfs-backup(example)
- Click Create
📌 Important:
- The token secret is shown once
- Copy it immediately
- You cannot recover it later
Step 3: Assign Permissions to the Token
Creating a token is not enough — it has no permissions by default.
Recommended Permission Setup
- Go to:
Configuration→ Access Control→ Permissions- Add a permission for user and another one for API token:
- Path:
/datastore/pbs-store - User:
pve@pbs - Role:
DatastoreBackup/DatastoreAdmin
3. Add a permission for the API token:
This allows:
- Creating backups
- Reading snapshots
- No admin access
✅ Principle of least privilege
Step 4: Verify Token Authentication
Test the token from a shell:
export PBS_REPOSITORY="pve@[email protected]:pbs-store"
export PBS_PASSWORD="<TOKEN_SECRET>"
proxmox-backup-client listIf authentication works, you’ll see datastore content.
Recommended: Use a Password File
Never hardcode secrets in scripts.
echo '<TOKEN_SECRET>' > /root/pbs-password
chmod 600 /root/pbs-passwordThen:
export PBS_PASSWORD_FILE="/root/pbs-password"This is exactly how production backup scripts should authenticate.
Common Mistakes (and How to Avoid Them)
Token Created but Backups Fail
Cause: No permissions assigned
Fix: Assign DatastoreBackup role to the token
Using the User Instead of the Token
Wrong:
pve@pbs@pbs-store
Correct:
pve@pbs!zfs-backup@pbs-store
The !token-name part is required.
Token Has Too Much Power
Avoid assigning:
AdminDatastoreAdmin
Unless absolutely required.
Security Best Practices
- Use one token per purpose
- Rotate tokens periodically
- Set expiration dates
- Store secrets in root-only files
- Never commit tokens to Git
When to Use Multiple Tokens
Create separate tokens for:
- Proxmox VE backups
- Dataset backups
- External systems
- CI/CD or automation
This makes auditing and revocation trivial.
Final Thoughts
If you’re still using passwords with Proxmox Backup Server, stop.
API tokens are:
- Safer
- Cleaner
- Easier to manage
- Built for automation
Once you switch, you’ll never go back.
Happy (and secure) backing up 🔐
Mohammad Dahamshi is a skilled Embedded Software Engineer and web developer. With experience in C/C++, Linux, WordPress, and DevOps tools, he helps businesses solve technical challenges and build reliable digital solutions. Fluent in Arabic, Hebrew, and English, he also runs Saratec, offering web design and digital marketing services.
[…] Tokens = no root passwords in scripts (See our post about creating PBS token) […]