Getting started
Basics
Domains & Origins
Performance

Configuration
Basics
Conditions
Dictionaries
Domains & Origins
Request settings
Cache settings
Headers
Responses
Performance
Custom VCL
Image optimization
Video

Security
Access Control Lists
Monitoring and testing
Securing communications
Security measures
TLS
Web Application Firewall

Integrations
Logging endpoints
Non-Fastly services

Diagnostics
Streaming logs
Debugging techniques
Common errors

Account info
Account management
Billing
User access and control

Reference

    Using API tokens

      Last updated July 03, 2019

    API tokens are unique authentication credentials assigned to individual users. You need to create an API token to use the Fastly API.

    You can use API tokens to grant applications restricted access to your Fastly account and services. For example, an engineer user could limit a token to only have access to a single service, and restrict the scope to only allow that token to purge by URL. Every Fastly user can create up to 100 API tokens.

    The API Token Management page allows you to create, view, and delete API tokens associated with your personal account. Superusers can view and delete any of the API tokens associated with the organization's Fastly account.

    Best practices

    Limiting an API token's service access and setting an expiration date restricts a credential's access, which can minimize the risk of damage if a credential is compromised. For more information, review the principle of least privilege.

    Creating API tokens

    To create an API token, follow the steps below:

    1. Log in to the Fastly web interface and click the Account link from the user menu. Your account information appears.
    2. Click the Personal API tokens link. The Personal API Tokens page appears.
    3. Click the Create token button. The Create a Token page appears.

      create a token page

    4. Fill out the Create a Token fields as follows:
      • In the Password field, type your account password.
      • In the Name field, type a descriptive name for the API token that indicates how or where you will to use the token.
      • In the Apply to area, optionally select a service to restrict the service-level access of the token to one service.
      • In the Set a scope area, select one or more checkboxes to set a token's scope:
        • Global API access (global): Allows access to all endpoints, including purging.
        • Purge select content (purge_select): Allows purging with surrogate-key and URL. Does not include the ability to purge all cache.
        • Purge full cache (purge_all): Allows purging an entire service via purge_all API request.
        • Read-only access (global:read): Allows read-only access to account information, configuration, and stats.
      • In the Set a token expiration area, optionally set the API token to expire on a specified date. After a token expires, using it for any request will return an HTTP 401 response.
    5. Click the Create button to create the new API token. The string that comprises the token appears.

    This is the credential you'll use to authenticate via the Fastly API. Copy this string to a secure location — it will never be visible again. You may use the same token for multiple applications.

    Viewing API tokens

    You can view two types of API tokens for your account depending on your assigned role.

    Viewing personal API tokens

    To view personal API tokens, follow these steps:

    1. Log in to the Fastly web interface and click the Account link from the user menu. Your account information appears.
    2. Click the Personal API tokens link. The Personal API tokens page appears with a list of your personal tokens.

      api token management page

    Viewing account API tokens

    To view account API tokens as a superuser, follow these steps:

    1. Log in to the Fastly web interface and click the Account link from the user menu. Your account information appears.
    2. Click Account API tokens. The Account API Tokens page appears with a list of tokens associated with your organization's Fastly account.

      api token management page

    Deleting API tokens

    Deleting personal API tokens

    To delete a personal API token, follow the steps below:

    1. Log in to the Fastly web interface and click the Account link from the user menu. Your account information appears.
    2. Click the Personal API tokens link. The Personal API Tokens page appears with a list of your personal tokens.
    3. Find the API token you want to delete and click the trash icon. A warning message appears.
    4. Click the Delete button to permanently delete the API token.

    Deleting account API tokens

    To delete an account API token or to revoke another user's API token as a superuser, follow the steps below:

    1. Log in to the Fastly web interface and click the Account link from the user menu. Your account information appears.
    2. Click the Account API tokens. The Account API Tokens page appears with a list of tokens associated with your organization's Fastly account.
    3. Find the API token you want to delete and click the trash icon. A warning message appears.
    4. Click the Delete button to permanently delete the API token.

    Legacy API keys

    If you created a Fastly account before May 15th, 2017, you may have used an API key (or multiple API keys) to authenticate API requests. This account-level credential was migrated to a personal API token with a global scope and access to all of your services. Because all tokens need to be owned by a user, this credential was assigned to a newly created, synthetic user with the name Global API Token.

    global API token user

    Back to Top

    Additional resources: