Create a new API token
Creates a new API token for the project. Each token combines a Role (which actions are permitted) with a set of API surface flags (can_access_cda, can_access_cda_preview, can_access_cma) that gate which APIs the token can call at all. Effective capabilities are the intersection of the two layers.
The Content Delivery API has no write endpoints. If a token has can_access_cda: true (and/or can_access_cda_preview: true) but can_access_cma: false, attaching it to a role with update/publish/delete permissions is harmless — those actions have no surface to act on. This is useful when you want to share a single Role definition between an editor (who acts via the dashboard / CMA) and the public-facing read token of the same project (used by a frontend / CDA).
The new token's secret is returned in attributes.token of the response (and on every subsequent read, as long as the caller has can_manage_access_tokens).
Body parameters
Must be exactly "access_token".
Name of API token
"Read-only API token"
Whether this API token can call the Content Delivery API (graphql.datocms.com) to fetch published content.
Whether this API token can call the Content Delivery API with the X-Include-Drafts: true header to fetch draft (current, unpublished) content. There is no separate endpoint — the CDA is a single GraphQL endpoint and this flag governs whether requesting drafts is allowed.
Whether this API token can access the Content Management API
Returns
Returns a resource object of type access_token.
Examples
POST https://site-api.datocms.com/access_tokens HTTP/1.1Authorization: Bearer YOUR-API-TOKENAccept: application/jsonX-Api-Version: 3Content-Type: application/vnd.api+json
{ "data": { "type": "access_token", "attributes": { "name": "Read-only API token", "can_access_cda": true, "can_access_cda_preview": true, "can_access_cma": true }, "relationships": { "role": { "data": { "type": "role", "id": "34" } } } }}curl -g 'https://site-api.datocms.com/access_tokens' \ -X POST \ -H "Authorization: Bearer YOUR-API-TOKEN" \ -H "Accept: application/json" \ -H "X-Api-Version: 3" \ -H "Content-Type: application/vnd.api+json" \ --data-binary '{"data":{"type":"access_token","attributes":{"name":"Read-only API token","can_access_cda":true,"can_access_cda_preview":true,"can_access_cma":true},"relationships":{"role":{"data":{"type":"role","id":"34"}}}}}'await fetch("https://site-api.datocms.com/access_tokens", { method: "POST", headers: { Authorization: "Bearer YOUR-API-TOKEN", Accept: "application/json", "X-Api-Version": "3", "Content-Type": "application/vnd.api+json", }, body: JSON.stringify({ data: { type: "access_token", attributes: { name: "Read-only API token", can_access_cda: true, can_access_cda_preview: true, can_access_cma: true, }, relationships: { role: { data: { type: "role", id: "34" } } }, }, }),});HTTP/1.1 200 OKContent-Type: application/jsonCache-Control: cache-control: max-age=0, private, must-revalidateX-RateLimit-Limit: 30X-RateLimit-Remaining: 28
{ "data": { "type": "access_token", "id": "312", "attributes": { "name": "Read-only API token", "hardcoded_type": "", "can_access_cda": true, "can_access_cda_preview": true, "can_access_cma": true, "last_cma_access": "never", "last_cda_access": "never" }, "relationships": { "role": { "data": { "type": "role", "id": "34" } } } }}