docs: cloud docs for user token disablement

emlanctot · helenjw · commit 602dca396766 · 2025-09-16T11:48:49.000-04:00
diff --git a/content/terraform-docs-common/docs/cloud-docs/users-teams-organizations/api-tokens.mdx b/content/terraform-docs-common/docs/cloud-docs/users-teams-organizations/api-tokens.mdx
@@ -16,6 +16,21 @@ Refer to [Team Token API](/terraform/cloud-docs/api-docs/team-tokens) and [Organ
 
 API tokens may belong directly to a user. User tokens are the most flexible token type because they inherit permissions from the user they are associated with. For more information on user tokens and how to generate them, see the [Users](/terraform/cloud-docs/users-teams-organizations/users#tokens) documentation.
 
+### Disabling user tokens for organizations
+
+When user tokens are disabled for an organization, all user tokens will be blocked from accessing organization resources. By default, user tokens are enabled for organizations.
+
+1. Sign in to [HCP Terraform](https://app.terraform.io/) or Terraform Enterprise, then navigate to the organization where you want to disable user tokens.
+1. Choose **Settings** from the sidebar, then **API tokens**.
+1. From the **User Tokens** tab, uncheck the **Allow members to access organization resources with their user tokens** setting.
+1. Click **Update settings**.
+1. In the confirmation modal, select **Disable**.
+1. User tokens are now disabled for this organization.
+
+!> **Warning:** Use caution disabling user tokens for an organization. This could cause automation to fail if the automation is using user tokens to authenticate. 
+
+-> **Note:** When user tokens are disabled for an organization, that organization should use `oauth-token-id` to configure their VCS connections rather than `github-app-installation-id`, as the latter relies on user tokens to authenticate to Github.
+
 ## Team API Tokens
 
 API tokens may belong to a specific team. Team API tokens allow access to the workspaces that the team has access to, without being tied to any specific user.
diff --git a/content/terraform-docs-common/docs/cloud-docs/users-teams-organizations/users.mdx b/content/terraform-docs-common/docs/cloud-docs/users-teams-organizations/users.mdx
@@ -191,6 +191,10 @@ To revoke a token, click the **trash can** next to it. That token will no longer
 
 ~> **Note**: HCP Terraform does not revoke a user API token's access to an organization when you remove the user from an SSO Identity Provider as the user may still be a member of the organization. To remove access to a user's API token, remove the user from the organization in the UI or with the [Terraform Enterprise provider](https://registry.terraform.io/providers/hashicorp/tfe/latest).
 
+#### Tokens disabled
+
+User tokens can be disabled at the organization level, for more information see the [API token](/terraform/cloud-docs/users-teams-organizations/api-tokens#user-api-tokens) documentation.
+
 ### GitHub app OAuth token
 
 Click **Tokens** in the sidebar to manage your GitHub App token. This token lets you connect a workspaces to an available GitHub App installation.
