Delete an API token
Deletes an API token. The secret is invalidated immediately and any client still using it will receive 401 Unauthorized on its next request.
API tokens are first-class users in DatoCMS — they can own records, uploads, filters, and editing sessions. When the token to delete owns any such resources, the request must specify a destination owner via the destination_user_type (user, sso_user, access_token, or account) and destination_user_id query parameters; ownership is transferred to that user before the token is removed. If the token owns nothing, the parameters can be omitted.
A token cannot delete itself — this endpoint rejects requests authenticated with the very token being destroyed (CANNOT_DESTROY_CURRENT_USER). Use a different credential to revoke it.
Query parameters
New owner for resources previously owned by the deleted access token. This argument specifies the new owner type. Use account or organization to reassign to the project's owner — client.site.find().owner returns the right type/id pair to pass.
"account"
New owner for resources previously owned by the deleted access token. This argument specifies the new owner ID.
"7865"
Returns
Returns a resource object of type access_token
Other examples
An API token may own resources — records it created, uploads it pushed, shared filters, editing sessions. Deleting the token transfers ownership of those resources to the user identified by the destination_user_type + destination_user_id query parameters before destroying the token.
This example reassigns to the project's owner — client.site.find().owner is always present and returns the account or organization directly, so it works as a universal fallback. Set destination_user_type to user, sso_user, or access_token instead to reassign to a specific collaborator or sibling token.
If you skip the parameters and the token still owns resources, the deletion will leave them orphaned. Always pass a destination unless you've verified the token owns nothing.
import { buildClient } from "@datocms/cma-client-node";
async function run() { const client = buildClient({ apiToken: process.env.DATOCMS_API_TOKEN });
// Look up the token we want to retire. const allTokens = await client.accessTokens.list(); const tokenToDelete = allTokens.find( (candidate) => candidate.name === "Legacy CI token", )!;
// The project's owner — an account or an organization — is always present // and is the safest fallback destination for orphaned resources. const site = await client.site.find();
await client.accessTokens.destroy(tokenToDelete.id, { destination_user_type: site.owner.type, destination_user_id: site.owner.id, });
console.log( `Deleted token ${tokenToDelete.id}; resources transferred to ${site.owner.type} ${site.owner.id}.`, );}
run();Deleted token 407202; resources transferred to organization 628404.