--- title: Access Tokens description: Discover Storyblok's documentation with comprehensive developer guides, user manuals, API references, and examples to help you get the most out of the headless CMS platform. url: https://storyblok.com/docs/concepts/access-tokens --- # Access Tokens Storyblok offers a rich set of APIs and services for delivering and managing content and assets. Tokens protect access to these services. ## Read-only access tokens Use read-only access tokens to view the content and assets of a specific space. To manage per-space tokens and generate new ones, select the space and open **Settings** → **Access Tokens**. The following types of tokens are available: - **Public:** Access `published` content using the Content Delivery API. Use this token in production frontends. - **Preview:** Access `draft` and `published` content using the Content Delivery API. Use this token in the Visual Editor or staging environments. - **Asset:** Access [private assets](https://storyblok.com/docs/concepts/assets) using the Content Delivery API. - **Release:** Access content associated with a specific release. Requires the [Releases app](https://www.storyblok.com/docs/api/management/releases/). - **Theme:** Access a theme for use by the Storyblok rendering service (deprecated). > [!TIP] > To specify how long the CDN caches the content, set a time-to-live (TTL). Learn more in the [caching developer concept](https://storyblok.com/docs/concepts/caching). The following example uses the [JavaScript SDK](https://www.storyblok.com/docs/libraries/js/js-sdk) to fetch published stories via the [Content Delivery API](https://www.storyblok.com/docs/api/content-delivery/v2/stories/retrieve-multiple-stories): ```javascript import { apiPlugin, storyblokInit } from '@storyblok/js'; const { storyblokApi } = storyblokInit({ accessToken: 'YOUR_ACCESS_TOKEN', use: [apiPlugin], }); // Use a public or preview access token const { data } = await storyblokApi.get('cdn/stories', { version: 'published', }); ``` ## Read-write access tokens Use read-write access tokens to perform CRUD (create, read, update, delete) operations via the [Management API](https://www.storyblok.com/docs/api/management). ### Personal access token Th personal access token is account-specific. To manage existing tokens or generate new ones, open your [**Account settings**](https://app.storyblok.com/#/me/account?tab=token): **My account** → **Account settings** → **Personal access tokens**. > [!WARNING] > Secret management > > Never expose personal access tokens in frontend code or commit them to version control. Store them in environment variables. If a token is exposed, revoke it immediately and generate a new one. By default, a new personal access token grants access to all spaces that you own. Learn more about space ownership in the [roles user manual](https://storyblok.com/docs/manuals/roles). Alternatively, specify one or multiple spaces that the token should grant access to. Set individual read and/or write permissions for the following scopes: - Asset folders - Assets - Collaborators - Comments - Components - Datasource entries - Datasources - Releases - Spaces - Statistics - Stories - Tags - Users - Webhooks Select at least one scope. Alternatively, click **Select all scopes** to enable read and write permissions for all scopes. As an additional layer of security, set an expiration date for the token and generate a new token once the date has passed.. Once configured, click **Generate Token**. The generated token will only be shown _once_. Copy the token and store it securely. Upon generation, eligible spaces and scopes can be reviewed, but not changed. > [!WARNING] > Least privilege > > When generating a token, restrict access to only the required spaces and scopes. To bypass space and scope configuration, enable **Full user permission**. This grants the token the same access as your user account across all eligible spaces, and enables all scopes. Use it only for development or tooling that requires unrestricted access. ### **OAuth access token** An OAuth Access Token is obtained via the OAuth2 authentication flow and is tied to a single space. It has a time-to-live (TTL) and is used for authenticating third-party apps or integrations. Permissions (scopes) such as `read_content` and `write_content` are granted during the OAuth process. Learn more about obtaining an OAuth access token in the [OAuth 2.0 Authorization Flow](https://www.storyblok.com/docs/plugins/oauth-authorization-flow). ### Examples Personal access token ```bash curl -H "Authorization: YOUR_PERSONAL_ACCESS_TOKEN" https://mapi.storyblok.com/ ``` OAuth access token ```bash curl -H "Authorization: Bearer YOUR_OAUTH_ACCESS_TOKEN" https://mapi.storyblok.com/ ``` > [!NOTE] > Authorization > > Note that OAuth access token requires the `Bearer` keyword in the `Authorization` header, whereas the personal access token must be used without it. ## Further resources [Content Delivery API: Introduction](https://storyblok.com/docs/api/content-delivery/v2) [Management API: Introduction](https://storyblok.com/docs/api/management) [Management API: Access Tokens](https://storyblok.com/docs/api/management/access-tokens) ## Pagination - [Previous: Introduction](https://storyblok.com/docs/concepts) - [Next: Assets](https://storyblok.com/docs/concepts/assets)