LOG IN SIGN UP
Documentation

Using API tokens

  Last updated September 25, 2017

API tokens are unique authentication credentials assigned to individual users. You need to create an API token to use the Fastly API.

You can use API tokens to grant applications restricted access to your Fastly account and services. For example, an engineer user could limit a token to only have access to a single service, and restrict the scope to only allow that token to purge by URL. Every Fastly user can create up to 100 API tokens.

The API Token Management page allows you to create, view, and delete API tokens associated with your personal account. Superusers can view and delete any of the API tokens associated with the organization's Fastly account.

Best practices

Limiting an API token's service access and setting an expiration date restricts a credential's access, which can minimize the risk of damage if a credential is compromised. For more information, review the principle of least privilege.

Creating API tokens

To create an API token, follow the steps below:

  1. Log in to the Fastly web interface and click the Account link from the user menu. Your account information appears.
  2. Click the Personal API tokens link. The Personal API Tokens page appears.
  3. Click the Create token button. The Create a Token page appears.

    create a token page

  4. Fill out the Create a Token fields as follows:
    • In the Password field, type your account password.
    • In the Name field, type a descriptive name for the API token that indicates how or where you will to use the token.
    • In the Apply to area, optionally select a service to limit the API token to a single service.
    • In the Set a scope area, select one or more checkboxes to set a token's scope:
      • Global API access (global): Allows access to all endpoints, including purging.
      • Purge select content (purge_select): Allows purging with surrogate-key and URL. Does not include the ability to purge all cache.
      • Purge full cache (purge_all): Allows purging an entire service via purge_all API request.
      • Read-only access (global:read): Allows read-only access to account information, configuration, and stats.
    • In the Set a token expiration area, optionally set the API token to expire on a specified date. After a token expires, using it for any request will return an HTTP 401 response.
  5. Click the Create button to create the new API token. The string that comprises the token appears.

This is the credential you'll use to authenticate via the Fastly API. Copy this string to a secure location — it will never be visible again. You may use the same token for multiple applications.

Viewing API tokens

You can view two types of API tokens for your account depending on your assigned role.

Viewing personal API tokens

To view personal API tokens, follow these steps:

  1. Log in to the Fastly web interface and click the Account link from the user menu. Your account information appears.
  2. Click the Personal API tokens link. The Personal API tokens page appears with a list of your personal tokens.

    api token management page

Viewing account API tokens

To view account API tokens as a superuser, follow these steps:

  1. Log in to the Fastly web interface and click the Account link from the user menu. Your account information appears.
  2. Click Account API tokens. The Account API Tokens page appears with a list of tokens associated with your organization's Fastly account.

    api token management page

Deleting API tokens

Deleting personal API tokens

To delete a personal API token, follow the steps below:

  1. Log in to the Fastly web interface and click the Account link from the user menu. Your account information appears.
  2. Click the Personal API tokens link. The Personal API tokens page appears with a list of your personal tokens.
  3. Find the API token you want to delete and click the trash icon. A warning message appears.
  4. Click the Delete button to permanently delete the API token.

Deleting account API tokens

To delete an account API token or to revoke another user's API token as a superuser, follow the steps below:

  1. Log in to the Fastly web interface and click the Account link from the user menu. Your account information appears.
  2. Click the Account API tokens. The Account API Tokens page appears with a list of tokens associated with your organization's Fastly account.
  3. Find the API token you want to delete and click the trash icon. A warning message appears.
  4. Click the Delete button to permanently delete the API token.

Legacy API keys

If you created a Fastly account before May 15th, 2017, you may have used an API key (or multiple API keys) to authenticate API requests. This account-level credential was migrated to a personal API token with a global scope and access to all of your services. Because all tokens need to be owned by a user, this credential was assigned to a newly created, synthetic user with the name Global API Token.

global API token user


Additional resources:


Back to Top