Review Access Tokens
Secure, time-limited login links for platform reviewers (Meta, TikTok, X, etc.) during app review processes.
Overview
When platforms like Meta or TikTok need to review our app, they require test account access. Review Access Tokens provide:
- No password sharing - Secure token-based login
- Time-limited - Auto-expire after configured days
- Revocable - Instant access termination
- Auditable - Full usage tracking
- Entitlements override - Grant premium features for testing
Admin UI
Navigate to: Platform Console → Configuration → Review Access
Creating a Token
- Click Create Token
- Fill in:
- Name: e.g., "Meta App Review - Dec 2025"
- Platform: Select the reviewing platform
- Target User: The account reviewers will access
- Override Tier: (Optional) Grant higher tier for testing
- Expires In: 1-90 days
- Max Uses: (Optional) Limit number of logins
- Copy the generated URL and share with the reviewer
Managing Tokens
| Action | Description |
|---|---|
| View | See token details and usage count |
| Revoke | Immediately invalidate a token |
| Filter | Show/hide revoked tokens |
API Endpoints
Admin Routes (Super Admin Only)
GET /api/platform/review-access # List tokens
POST /api/platform/review-access # Create token
GET /api/platform/review-access/:id # Get details
DELETE /api/platform/review-access/:id # Revoke tokenPublic Token Exchange
POST /api/auth/review-access # Exchange token for JWTDatabase Model
ReviewAccessToken in Prisma schema with fields:
tokenHash- SHA256 hash (never store plaintext)overrideTier- Override subscription tieroverrideEntitlements- Specific entitlement keysexpiresAt,maxUses,usageCountisRevoked,revokedBy,revokedAt- Full audit trail (createdBy, lastUsedAt, lastUsedIp)
Security Notes
- Tokens are hashed before storage
- Plain token shown only once at creation
- Token automatically invalidated if:
- Expired
- Revoked
- Max uses reached
- All token usage is logged with IP addresses