In this page

    Content Delivery API > Authentication and permissions

    Authentication and permissions

    To communicate with the GraphQL server, you'll need an API token. To start, you can find your read-only API token in the Settings > API tokens section of your administrative area:

    Regardless of which API token you use, make sure that the "Access the Content Delivery API" or "Access the Content Delivery API in Preview Mode" flags are enabled, otherwise the API token will not be able to make calls to the CDA.

    Restricting access

    If you want to restrict GraphQL access only to a selection of your models, you can generate a custom API token and assign it a custom role.

    If an API token can only access specific models, any other field will be completely hidden from the GraphQL schema and response, eliminating any potential information exposure.

    Different behavior on legacy projects

    On projects created before January 8, 2024 — and that have not explicitly activated the "Improved GraphQL Security" update — the behavior will be slightly different: you can read all the details in the related product update.