Access Tokens

Storyblok offers a rich set of APIs and services for delivering and managing content and assets. Tokens safeguard access to these services.

Content Delivery API access tokens

Use the Content Delivery API's read-only access tokens to view the content and assets of a specific space.

To manage per-space tokens and generate new ones, select the space and open Settings → Access Tokens.

The following types of tokens are available:

• Public: access published content using the Content Delivery API. Use this token in production frontends.
• Preview: access draft and published content using the Content Delivery API. Use this token in the Visual Editor or staging environments.
• Asset: access private assets using the Content Delivery API.
• Release: access content associated with a specific release. Requires the Releases app.
• Theme: access a theme for use by the Storyblok rendering service (deprecated).

Tip

To specify how long the CDN caches the content, set a time-to-live (TTL). Learn more in the caching developer concept.

The following example uses the JavaScript SDK to fetch published stories via the Content Delivery API:

import { apiPlugin, storyblokInit } from '@storyblok/js';

const { storyblokApi } = storyblokInit({
  accessToken: 'YOUR_ACCESS_TOKEN',
  use: [apiPlugin],
});

// Use a public or preview access token
const { data } = await storyblokApi.get('cdn/stories', {
  version: 'published',
});

Management API access tokens

Use the Management API's read-only/read-write access tokens to perform CRUD (create, read, update, delete) operations via the Management API.

Personal access token

The personal access token is account-specific.

To manage existing tokens or generate new ones, open your Account settings: My account → Account settings → Personal access tokens.

Secret management

Store your personal access tokens in environment variables, and never expose them in frontend code you commit to version control.

If a token is exposed, revoke it immediately and generate a new one.

By default, a new personal access token grants access to all spaces that you own. Learn more about space ownership in the Roles manual. Alternatively, specify one or multiple spaces that the token should grant access to.

Next, set individual permissions for the following scopes:

• Asset folders
• Assets
• Collaborators
• Comments
• Components
• Datasource entries
• Datasources
• Releases
• Spaces
• Statistics
• Stories
• Tags
• Users
• Webhooks

Select at least one scope. Alternatively, choose Select all scopes to enable read and write permissions for all scopes.

As an additional layer of security, set an expiration date for the token.

Finally, select Generate Token. The generated token is shown once. Copy it and store it securely. Upon generation, eligible spaces and scopes can be reviewed, but not changed.

Caution

Apply the principle of least privilege and restrict the token's access to the required spaces and scopes.

To bypass space and scope configuration, enable Full user permission. This grants the token the same access as your user account across all eligible spaces and enables all scopes.

Use it only for development or tooling that requires unrestricted access.

Further resources

Content Delivery API: Introduction

Management API: Introduction

Management API: Access Tokens