Asana Token

Bridgecrew Policy ID: BC_GIT_24
Checkov Check ID: CKV_SECRET_24
Severity: LOW

Asana Key

Asana is a web and mobile work management[2] platform designed to help teams organize, track, and manage their work. It helps teams manage projects and tasks in one tool. Teams can create projects, assign work to teammates, specify deadlines, and communicate about tasks directly in Asana. It also includes reporting tools, file attachments, calendars, as well as setting and tracking company wide goals.


A user can create many, but not unlimited, personal access tokens. When creating a token you must give it a description to help you remember what you created the token for. Personal Access Tokens should be used similarly to OAuth access tokens when accessing the API, passing them in the Authorization header. You can generate a Personal Access Token from the Asana developer console. See the Authentication Quick Start for detailed instructions on getting started with PATs.

Fix - Buildtime


An authorization token can be deauthorized or invalidated by making a request to Asana's API. Your app should make a POST request to, passing the parameters as part of a standard form-encoded post body.

The body should include a valid Refresh Token, which will cause the Refresh Token and any Associated Bearer Tokens to be deauthorized. Bearer Tokens are not accepted in the request body since a new Bearer Token can always be obtained by reusing an authorized Refresh Token.