Types of Tokens

Here’s a cheat sheet to understand the usage, limitations, and characteristics of the different types of tokens that Contentstack provides.

Note: Both the delivery and management tokens can be assigned to all the branches or to a specific branch. You can also assign them to all the aliases or a specific alias, to fetch or manage data from their associated branches. Refer to our Global Modules document for more information.

Delivery Tokens

  • A Delivery Token is a read-only, environment-specific token to fetch published content of an environment.
  • It needs to be used along with the stack API key to make authorized Content Delivery API requests.
  • A Delivery Token cannot be used for multiple environments, but multiple Delivery Tokens can be associated with a single environment.
  • Stack owner, admins, and developers can create Delivery Tokens
  • Limitations of delivery tokens:
    • A single delivery token cannot be used to fetch content of more than one environment.
    • It cannot be used to fetch unpublished or draft content.
    • It cannot be used to create or update content.
    • It remains constant for a particular environment and cannot be reset
    • A maximum of 20 delivery tokens can be created for a stack.
  • Examples of usage:
    • If you want the testers to fetch content of only the “staging” environment, while giving core developers access to the “production” environment, use different delivery tokens for different environments.
  • Access Tokens

    Note: We have stopped supporting Access Tokens for all stacks created after December 16, 2020. We recommend using Delivery Tokens to access published content and Management Tokens for making content management API requests.

    • Access Token is a read-only, stack-level token to retrieve published as well as unpublished (draft) content irrespective of the environment
    • It needs to be used along with the stack API key to make authorized Content Delivery API requests.
    • An Access Token need not be created since it is available by default. However, it can be reset.
    • Only stack owner, admins and developers can reset it.

    Authentication Tokens (Authtokens)

    • An Authtoken is a read-write token to create, read, update, or delete content and other elements of your stack.
    • It is a user-specific token, used along with the stack API key, to make authorized Content Management requests. It needs to be passed as a header in each Content Management API request to validate the user session.
    • Authtoken can be retrieved by logging in to Contentstack using the “Log in to your account”request.
    • You can generate multiple authtokens by executing the Log in to your account request multiple times.
    • It can be used to create delivery tokens and management tokens.
    • It does not have an expiration time limit.
    • Limitations of authtokens:
      • A maximum of 20 authtokens can be actively used by a user.
      • If the 21st authtoken is generated, the oldest authtoken will expire.
      • For SSO-enabled organizations, it can be generated by only the owner of an SSO-enabled organization and users with permission to access the organization without SSO.
      • It cannot be generated by users who access the organization through Identity Provider login credentials.

    Management Tokens

    • A Management Token is a stack-level, read-write token to manage the content and other elements of your stack (i.e., create, read, update, or delete).
    • It needs to be used along with the stack API key to make authorized Content Management API requests.
    • Only the stack owner or admins can create Management Tokens.
    • During creation, stack owners and admins can define if the token should be read-only or write-only and if the token should expire on a specific date.
    • Limitations of management tokens:
      • A maximum of 10 Management Tokens can be created per stack.
      • It cannot be used to create Delivery Tokens.
      • It cannot be generated by developers or content managers of the stack.
      • It cannot be used to perform any read/write actions related to the following modules: organization, stack, user session, and tokens.
      • It cannot be used to invite users to and remove users from the stack.
      • It cannot be used to accept/reject a received publish/unpublish request for an entry.
    • Examples of usage:
      • While integrating third-party applications with Contentstack, external developers can use the management token to perform a series of read-write actions, instead of using their personal auth token.
      • For SSO-enabled organizations, instead of logging in with credentials and generating an authtoken, users can directly use the Content Management APIs to read, create, update, or delete content using the management token.
Was this article helpful?