# API token An API token authenticates programmatic access to a project. Each token combines two layers of access control: 1. A **Role** that defines what actions are permitted (the same Role resource used for human collaborators). 2. A set of **API surface flags** (`can_access_cda`, `can_access_cda_preview`, `can_access_cma`) that gate which APIs the token can hit at all. The token's effective capabilities are the *intersection* of the two. > [!PROTIP] 💡 A CDA-only token can safely reuse a write-capable Role > A token with only `can_access_cda: true` is safe to attach to a Role that grants `update`/`publish`/`delete` — the Content Delivery API exposes no write endpoints, so those actions have no surface to act on. This makes it practical to share a single Role definition between an editor (acting via the dashboard / CMA) and a public read token (used by a frontend / CDA) for the same project. ## Object payload id string ID of access\_token Example: `"312"` type string Must be exactly `"access_token"`. name string Name of API token Example: `"Read-only API token"` hardcoded\_type null, string Internal marker for the project's built-in factory tokens (e.g. read-only API token), seeded by DatoCMS when the project is created. Read-only attribute. When non-null, attribute updates are rejected with `NON_EDITABLE_ACCESS_TOKEN`, but the token can still be deleted and regenerated. `null` for any token created via this API. can\_access\_cda boolean Whether this API token can call the Content Delivery API (`graphql.datocms.com`) to fetch **published** content. can\_access\_cda\_preview boolean Whether this API token can call the Content Delivery API with the `X-Include-Drafts: true` header to fetch **draft** (current, unpublished) content. There is no separate endpoint — the CDA is a single GraphQL endpoint and this flag governs whether requesting drafts is allowed. can\_access\_cma boolean Whether this API token can access the Content Management API last\_cma\_access enum When this API token was last used to access the Content Management API Example: `"never"` Show enum values today Today yesterday Yesterday this\_week This week (Monday-Sunday) last\_week Last week (Monday-Sunday) this\_month This calendar month last\_month Last calendar month never No recent usage (beyond last month) last\_cda\_access enum When this API token was last used to access the Content Delivery API Example: `"never"` Show enum values today Today yesterday Yesterday this\_week This week (Monday-Sunday) last\_week Last week (Monday-Sunday) this\_month This calendar month last\_month Last calendar month never No recent usage (beyond last month) token null, string The secret value used as the `Authorization: Bearer ` credential. Returned on every endpoint (create, update, retrieve, list, rotate) to callers whose current role has `can_manage_access_tokens`; otherwise `null`. Example: `"XXXXXXXXXXXXXXX"` role Role Type: [ResourceLinkage<"role"\>](https://www.datocms.com/docs/content-management-api/resources/role.md), null ## Available endpoints - [Create a new API token](https://www.datocms.com/docs/content-management-api/resources/access_token/create.md) - [Update an API token](https://www.datocms.com/docs/content-management-api/resources/access_token/update.md) - [List all API tokens](https://www.datocms.com/docs/content-management-api/resources/access_token/instances.md) - [Retrieve an API token](https://www.datocms.com/docs/content-management-api/resources/access_token/self.md) - [Rotate API token](https://www.datocms.com/docs/content-management-api/resources/access_token/regenerate_token.md) - [Delete an API token](https://www.datocms.com/docs/content-management-api/resources/access_token/destroy.md) ## Related content in "Content Management API" - [Content Management API Overview](https://www.datocms.com/docs/content-management-api.md) - [Using the JavaScript CMA client](https://www.datocms.com/docs/content-management-api/using-the-nodejs-clients.md) - [API versioning](https://www.datocms.com/docs/content-management-api/api-versioning.md) - [Authentication](https://www.datocms.com/docs/content-management-api/authentication.md) - [Environments](https://www.datocms.com/docs/content-management-api/setting-the-environment.md) - [Error codes & handling failures (CMA)](https://www.datocms.com/docs/content-management-api/errors.md) - [Pagination](https://www.datocms.com/docs/content-management-api/pagination.md) - [Asynchronous jobs](https://www.datocms.com/docs/content-management-api/async-jobs.md) - [Technical Limits (CMA)](https://www.datocms.com/docs/content-management-api/technical-limits.md) - [Record](https://www.datocms.com/docs/content-management-api/resources/item.md) - [Scheduled publication](https://www.datocms.com/docs/content-management-api/resources/scheduled-publication.md) - [Scheduled unpublishing](https://www.datocms.com/docs/content-management-api/resources/scheduled-unpublishing.md) - [Upload](https://www.datocms.com/docs/content-management-api/resources/upload.md) - [Site](https://www.datocms.com/docs/content-management-api/resources/site.md) - [Model/Block model](https://www.datocms.com/docs/content-management-api/resources/item-type.md) - [Field](https://www.datocms.com/docs/content-management-api/resources/field.md) - [Fieldset](https://www.datocms.com/docs/content-management-api/resources/fieldset.md) - [Record version](https://www.datocms.com/docs/content-management-api/resources/item-version.md) - [Upload permission](https://www.datocms.com/docs/content-management-api/resources/upload-request.md) - [Upload track](https://www.datocms.com/docs/content-management-api/resources/upload-track.md) - [Manual tags](https://www.datocms.com/docs/content-management-api/resources/upload-tag.md) - [Smart tags](https://www.datocms.com/docs/content-management-api/resources/upload-smart-tag.md) - [Upload Collection](https://www.datocms.com/docs/content-management-api/resources/upload-collection.md) - [Search Index](https://www.datocms.com/docs/content-management-api/resources/search-index.md) - [Search result](https://www.datocms.com/docs/content-management-api/resources/search-result.md) - [Search indexing activity](https://www.datocms.com/docs/content-management-api/resources/search-index-event.md) - [Environment](https://www.datocms.com/docs/content-management-api/resources/environment.md) - [Maintenance mode](https://www.datocms.com/docs/content-management-api/resources/maintenance-mode.md) - [Menu Item](https://www.datocms.com/docs/content-management-api/resources/menu-item.md) - [Schema Menu Item](https://www.datocms.com/docs/content-management-api/resources/schema-menu-item.md) - [Uploads filter](https://www.datocms.com/docs/content-management-api/resources/upload-filter.md) - [Model filter](https://www.datocms.com/docs/content-management-api/resources/item-type-filter.md) - [Plugin](https://www.datocms.com/docs/content-management-api/resources/plugin.md) - [Workflow](https://www.datocms.com/docs/content-management-api/resources/workflow.md) - [Asynchronous job](https://www.datocms.com/docs/content-management-api/resources/job.md) - [Job result](https://www.datocms.com/docs/content-management-api/resources/job-result.md) - [Account](https://www.datocms.com/docs/content-management-api/resources/account.md) - [Organization](https://www.datocms.com/docs/content-management-api/resources/organization.md) - [Invitation](https://www.datocms.com/docs/content-management-api/resources/site-invitation.md) - [Collaborator](https://www.datocms.com/docs/content-management-api/resources/user.md) - [Role](https://www.datocms.com/docs/content-management-api/resources/role.md) - [API token](https://www.datocms.com/docs/content-management-api/resources/access-token.md) - [Webhook](https://www.datocms.com/docs/content-management-api/resources/webhook.md) - [Webhook call](https://www.datocms.com/docs/content-management-api/resources/webhook-call.md) - [Build trigger](https://www.datocms.com/docs/content-management-api/resources/build-trigger.md) - [Deploy activity](https://www.datocms.com/docs/content-management-api/resources/build-event.md) - [Subscription limit](https://www.datocms.com/docs/content-management-api/resources/subscription-limit.md) - [Subscription feature](https://www.datocms.com/docs/content-management-api/resources/subscription-feature.md) - [SSO Settings](https://www.datocms.com/docs/content-management-api/resources/sso-settings.md) - [SSO User](https://www.datocms.com/docs/content-management-api/resources/sso-user.md) - [SSO Group](https://www.datocms.com/docs/content-management-api/resources/sso-group.md) - [White-label settings](https://www.datocms.com/docs/content-management-api/resources/white-label-settings.md) - [Audit log event](https://www.datocms.com/docs/content-management-api/resources/audit-log-event.md)