**As** an administrator
**I want to** set up system-level tokens
**so that** can use them as authentication in my SCIM client to provide it access to the OpenProject SCIM server API.

**Acceptance criteria**

* System-level tokens function similarly to personal access tokens but are associated with a designated system user.

* Begin of the deletion Tokens are limited by specific scopes.

* End of the deletion Administrators can create, name, and manage these tokens via a dedicated menu entry located at /admin/settings/authentication.

* Begin of the insertionToken have a name and are limited to specific scopes.

* The available scopes are api\_v3, bcf\_v2\_1 and scim\_v2. At least oneEnd of the insertion Begin of the deletion Initially, the only selectableEnd of the deletion scope Begin of the insertionneeds to be selected.

* Tokens can be set as validEnd of the insertion for Begin of the insertion1 day, 7 days, 1 month, 3 months or 1 year.

* After creatingEnd of the insertion Begin of the deletion tokens isEnd of the deletion the Begin of the insertiontoken will be only visible once.End of the insertion Begin of the deletion SCIM API scope, which is selected by default.End of the deletion

* Multiple active system-level tokens can exist simultaneously.

* Administrators can delete individual tokens through an available menu action. Begin of the insertion

* Expired token should have a label called expired

* Expired tokens should be invalid when using them against the API

<br>End of the insertion


**Technical notes**

* I&#39;d suggest to prefix them, so that we can recognize how to validate them, e.g. `opst-ABCDEF...` (**O**pen**P**roject**S**ystem**T**oken)


**Permissions and visibility considerations**

* Only accessible to administrators.

* Only available when the Enterprise plan Corporate is active.


Begin of the insertion<br>End of the insertion Begin of the deletion **Out of scope**

* Token expiration handling.

* Support for multiple scopes.End of the deletion