LOG IN SIGN UP
Documentation

Using API tokens

  Last updated March 30, 2017

API tokens are unique authentication credentials assigned to individual users. You need to create an API token to use the Fastly API.

You can use API tokens to grant applications restricted access to your Fastly account and services. For example, an engineer user could limit a token to only have access to a single service, and restrict the scope to only allow that token to purge by URL. Every Fastly user can create up to 100 API tokens.

The API Token Management page allows you to create, view, and delete API tokens associated with your personal account. Superusers can view and delete any of the API tokens associated with the organization's Fastly account.

Best practices

Limiting an API token's service access and setting an expiration date restricts a credential's access, which can minimize the risk of unintentional or intentional damage in the event that a credential is compromised. For more information, review the principle of least privilege.

Creating API tokens

To create an API token, follow the steps below:

  1. Log in to the Fastly web interface and click the Account link from the user menu. Your account information appears.
  2. In the API Authentication area near the bottom of the page, click the Manage your personal API tokens link. The API Token Management page appears.
  3. Click the Create token button. The Create a Token page appears.

    create a token page

  4. Fill out the Create a Token fields as follows:
    • In the Password field, type your account password.
    • In the Name field, type a descriptive name for the API token that indicates how or where you will to use the token.
    • In the Apply to area, optionally select a service to limit the API token to a single service.
    • In the Set a scope area, select one or more checkboxes to set a token's scope:
      • Global API access (global): Allows access to all endpoints, including purging.
      • Purge select content (purge_select): Allows purging with surrogate-key and URL. Does not include the ability to purge all cache.
      • Purge full cache (purge_all): Allows purging an entire service via purge_all API request.
      • Read-only access (global:read): Allows read-only access to account information, configuration, and stats.
    • In the Set a token expiration area, optionally set the API token to expire on a specified date. After a token expires, using it for any request will return an HTTP 401 response.
  5. Click the Create button to create the new API token. The string that comprises the token appears.

This is the credential that you'll use to authenticate via the Fastly API. Copy this string to a secure location — it will never be visible again. You may use the same token for multiple applications.

Viewing API tokens

To view your API tokens, follow the steps below:

  1. Log in to the Fastly web interface and click the Account link from the user menu. Your account information appears.
  2. In the API Authentication area near the bottom of the page, click the Manage your personal API tokens link. The API Token Management page appears. This is where you can see the list of your personal API tokens. If you're a superuser, click the Account API Tokens tab to see a list of all the API tokens associated with your organization's Fastly account.

    api token management page

Deleting API tokens

To delete an API token, follow the steps below:

  1. Log in to the Fastly web interface and click the Account link from the user menu. Your account information appears.
  2. In the API Authentication area near the bottom of the page, click the Manage your personal API tokens link. The API Token Management page appears.
  3. Find the API token you want to delete and click the trash icon. A warning message appears.

    api token delete warning

  4. Click the Delete button to permanently delete the API token.

Additional resources:


Back to Top