Authentication

To authenticate your account when making API requests, include an access token in the Authorization header. There are two types of access tokens in Storyblok:

Personal access token

A Personal Access Token is obtained from the Storyblok UI and grants access to all spaces associated with your account, including the Management API.

It is not tied to a single space but allows actions based on your permissions in all accessible spaces. This token is used without the Bearer keyword in the Authorization header. You can generate or manage personal access tokens in the Storyblok account settings.

Caution

Personal access tokens grant broad access to your account. Never expose them in frontend code or commit them to version control. Always store them securely using environment variables. If exposed, revoke the token immediately and generate a new one.

OAuth Access Token

An OAuth Access Token is obtained via the OAuth2 authentication flow and is tied to a single space.

• It has a time-to-live (TTL) and is used for authenticating third-party apps or integrations.
• Permissions (scopes) such as read_content and write_content are granted during the OAuth process.
• This token must be used with the Bearer keyword in the Authorization header.

You can learn more about obtaining an OAuth access token in the OAuth 2.0 Authorization Flow.

Examples

Personal Access Token (curl)

curl -H "Authorization: YOUR_PERSONAL_ACCESS_TOKEN" https://mapi.storyblok.com/

OAuth Access Token (curl)

curl -H "Authorization: Bearer YOUR_OAUTH_ACCESS_TOKEN" https://mapi.storyblok.com/

Personal Access Token (JavaScript)

const StoryblokClient = require('storyblok-js-client')

const Storyblok = new StoryblokClient({
oauthToken: 'YOUR_PERSONAL_ACCESS_TOKEN'
})

OAuth Access Token (JavaScript)

const StoryblokClient = require('storyblok-js-client')

const Storyblok = new StoryblokClient({
oauthToken: 'Bearer YOUR_PERSONAL_ACCESS_TOKEN'
})