- About Contentful
- APIs
- Backup, security and hosting
- Basics
- Best practices
- Billing
- Client libraries
- Content migrations
- Content operations
- Contentful AI functionality
- Environments
- EU data residency
- Extensibility
- Legacy spaces
- Managing organizations and spaces
- Personal access tokens
- Rich text
- Search and content organization
- Security and privacy
- Single sign-on (SSO)
- SSO x509 certificate expiration
- Technology and features
- Terminology
- Two-factor authentication (2FA)
- Versioning
- Web app
- Webhooks
FAQ / Personal access tokens
On this page
- Should I secure these tokens? How?
- How can I get a Personal Access Token if I don’t have any Content Management Access token in the first place?
- What’s the difference between tokens issued by an OAuth app and Personal Access tokens?
- When should I use an OAuth app and when should I prefer a Personal Access Token?
- Why Personal Access Tokens?
- How do I set an expiration date for Personal Access Tokens?
- Why should I set an expiration date for Personal Access Tokens?
Should I secure these tokens? How?
Content Management API tokens are just like passwords. Anyone getting it could use it to use Contentful on your behalf so you should make your best to protect them. Typical measure you would need to take include referring to environment variables as much as possible, and adding to your VCS ignore list any file where a token is mentioned to ensure such couldn’t be leaked.
How can I get a Personal Access Token if I don’t have any Content Management Access token in the first place?
You need to get a Content Management API token from the Contentful Web App. You can request it in the API section.
What’s the difference between tokens issued by an OAuth app and Personal Access tokens?
Inherently none, as both are tokens to access the Contentful Content Management API. They are both tied to the user who requested it, hence have access to the very same organisations, spaces and content as the token’s owner.
The difference is more conceptual: with OAuth, you authorize an app to talk to Contentful on your behalf, and might not ever see the credentials that the app uses; on the other hand, with Personal Access Tokens you are in charge of asking for the credentials to the API, and subsequently managing them.
When should I use an OAuth app and when should I prefer a Personal Access Token?
This highly varies depending on your use case. OAuth apps allow other users to authenticate against Contentful in order for your app to use the issued token as part of its process. Personal Access Tokens are personal, which means that they are tied to a single Contentful user account. This makes Personal Access Tokens good candidates for development, as well as automation purposes, when an application does only require a single Contentful account to manage content.
Why Personal Access Tokens?
Because they provide an easy way to work with our Content Management API, and are a widespread standard used across well-known organisations and services (such as Github, for example).
How do I set an expiration date for Personal Access Tokens?
NOTE: You cannot set an expiration date on existing tokens.
To add an expiration date on a Personal Access Token, you must create a new token. Click the Create personal access token button at the top right corner of the CMA tokens page. In the modal, enter the name of the new token and choose an expiration date from the dropdown. Click Generate to create the new token.
When a token is approaching expiration, individuals who created the token will receive email notifications with guidance on how to create a new token. However, tokens with an expiration time of less than 1 day will not receive an email notification.
Why should I set an expiration date for Personal Access Tokens?
When you create a personal access token, we recommend that you set an expiration for your token. Upon reaching your token's expiration date, it is automatically revoked. Adding an expiration date increases your organization's ability to secure how your data is accessed.