Show examples in:
Javascript HTTP
Resource info
Content Management API > API token

API token

An API token authenticates programmatic access to a project. Each token combines two layers of access control:

  1. A Role that defines what actions are permitted (the same Role resource used for human collaborators).
  2. A set of API surface flags (can_access_cda, can_access_cda_preview, can_access_cma) that gate which APIs the token can hit at all.

The token's effective capabilities are the intersection of the two.

💡 A CDA-only token can safely reuse a write-capable Role

A token with only can_access_cda: true is safe to attach to a Role that grants update/publish/delete — the Content Delivery API exposes no write endpoints, so those actions have no surface to act on. This makes it practical to share a single Role definition between an editor (acting via the dashboard / CMA) and a public read token (used by a frontend / CDA) for the same project.

Object payload

id string

ID of access_token

Example: "312"
type string

Must be exactly "access_token".

attributes.name string

Name of API token

Example: "Read-only API token"
attributes.hardcoded_type null, string

Internal marker for the project's built-in factory tokens (e.g. read-only API token), seeded by DatoCMS when the project is created. Read-only attribute. When non-null, attribute updates are rejected with NON_EDITABLE_ACCESS_TOKEN, but the token can still be deleted and regenerated. null for any token created via this API.

attributes.can_access_cda boolean

Whether this API token can call the Content Delivery API (graphql.datocms.com) to fetch published content.

attributes.can_access_cda_preview boolean

Whether this API token can call the Content Delivery API with the X-Include-Drafts: true header to fetch draft (current, unpublished) content. There is no separate endpoint — the CDA is a single GraphQL endpoint and this flag governs whether requesting drafts is allowed.

attributes.can_access_cma boolean

Whether this API token can access the Content Management API

attributes.last_cma_access enum

When this API token was last used to access the Content Management API

Example: "never"
today

Today

yesterday

Yesterday

this_week

This week (Monday-Sunday)

last_week

Last week (Monday-Sunday)

this_month

This calendar month

last_month

Last calendar month

never

No recent usage (beyond last month)
attributes.last_cda_access enum

When this API token was last used to access the Content Delivery API

Example: "never"
today

Today

yesterday

Yesterday

this_week

This week (Monday-Sunday)

last_week

Last week (Monday-Sunday)

this_month

This calendar month

last_month

Last calendar month

never

No recent usage (beyond last month)
attributes.token null, string

The secret value used as the Authorization: Bearer <token> credential. Returned on every endpoint (create, update, retrieve, list, rotate) to callers whose current role has can_manage_access_tokens; otherwise null.

Example: "XXXXXXXXXXXXXXX"
relationships.role.data

Role

Available endpoints

Did this doc help you?
Yes
No
Would you like to add more information?
Optional
To receive further updates or address your feedback, kindly share your email address with us.
Optional

If you need a reply, please contact support instead.

Need help?
Explore our forum, contact support, or connect with our sales team . You can also chat live with other users in our Slack channel.