Types of Tokens

Contentstack uses different types of tokens to authorize and authenticate API requests for accessing or managing content within a stack. Each token type has a specific purpose and serves different levels of access.

This section provides a quick overview of the token types, their uses, limitations, and the roles that can create or manage them.

The following table provides a quick comparison of the different token types available in Contentstack:

A Delivery Token is a read-only, environment-specific token used to fetch published content from a particular environment via Content Delivery APIs.

It ensures secure access to published content from specific environments such as staging or production, without exposing draft or unpublished data.

• Must be used along with the stack API key to authorize requests.
• Can only fetch published content (no access to drafts or unpublished data).
• Each delivery token is scoped to a specific environment and cannot be shared across multiple environments.
• Multiple Delivery Tokens can be created and associated with the same environment.
• Can be created by Stack Owners, Admins, and Developers.

• This token, once created, cannot be reset and remains constant.
• Cannot be used to create, update, or delete any content.

• Provide a staging delivery token to QA or testers for validating published content without exposing production data.
• Assign separate tokens to different frontend applications, each restricted to their environment.
• Allow third-party services to safely pull published content without granting write access.

Note: Access Tokens are no longer supported for stacks created after December 16, 2020. For newer stacks, Contentstack recommends using Delivery Tokens to fetch published content and Management Tokens to perform content management operations.

An Access Token is a read-only, stack-level token used to fetch both published and unpublished (draft) content using Content Delivery APIs.

• Works with the stack API key to authorize API requests.
• Can fetch content from all environments, regardless of publishing status.

• Available by default when a stack is created (for stacks created before December 16, 2020).
• Can be reset by the Stack Owners, Admins, and Developers.

An Authtoken is a user-specific, read/write token used to perform authorized operations via the Content Management API. It allows users to create, read, update, or delete content in a stack based on their permissions.

• Must be used along with the stack API key to authorize requests.
• Supports read/write operations, including the creation of delivery and management tokens.

• An Authtoken is generated when a user logs in using the Log in to your account API request.
• The maximum number of active Authtokens a user can hold is 20.
• When the 21st token is generated, the oldest token is automatically expired.

• In SSO-enabled organizations, only the owner and users with permission to access the organization without SSO can generate Authtokens.
• Users logging in using an Identity Provider (IdP) such as Google or Okta cannot generate Authtokens.

An automated content script, scheduled for overnight execution, maintains product inventory within a stack in Contentstack. The script leverages an Authtoken and the stack API key to authenticate requests and update the product inventory based on data sourced from an external system.

Since Authtokens support read and write access, the script can:

• Fetch existing entries
• Update stock levels
• Publish changes automatically

This setup ensures secure automated updates without manual intervention.

A Management Token is a stack-level, read-write token used to perform various content management operations such as creating, reading, updating, and deleting content within your stack.

It is ideal for use in integrations, scripts, and third-party services that require authenticated access without relying on user-specific Authtokens.

• Must be used along with the stack API key to authorize requests.
• Can be configured as read-only or write-only at the time of creation.
• Optionally, a token expiration date can be set for added control.
• Provides access to most content management functions, but cannot be used for administrative modules such as organization, stack, user sessions, and tokens.

• Can be created only by Stack Owners and Admins.
• Cannot be created by Developers or Content Managers.

• External developers can use a Management Token to perform automated read/write operations when integrating with third-party applications without needing personal Authtokens.
• In SSO-enabled organizations, Management Tokens allow direct access to Content Management APIs, eliminating the need for login-based authentication.