Chapter 6. Tokens

This tutorial contains information about 3scale tokens: what are they, how they work, and how to create them.

3scale has two types of tokens: Access tokens (created by the user) and Service tokens (automatically created when you create a new service in 3scale).

6.1. Access tokens

Access tokens allow API provider admins and members to authenticate against the 3scale APIs – Billing, Account management, and Analytics – and try them out using our ActiveDocs (interactive documentation).

An access token may provide either read and write access, or read only.

An important thing to take into account is how access tokens work, which is according to the member’s rights. Admins can create tokens to authenticate against all three 3scale APIs. Members will be limited by their permissions to access the different parts of the Admin Portal. For example, if a member does not have access to the Billing area, they will not be able to create a token to authenticate against the Billing API.

6.2. Creating access tokens

Access tokens can be created on the tokens page. To create tokens, follow these steps:

  1. Click on the gear icon in the navigation bar.
  2. Navigate to Personal > Tokens.
  3. Click Add Access Token.
  4. Specify a name, select one or more scopes, and choose the permission for the token.
  5. To save the new token, click Create Access token.

Note that if you are a member, you might not see all the APIs – just the ones you have been given access to by the admin of your account.

You can create as many access tokens as you need. For security reasons, the tokens will not be stored on 3scale. When you create a new token, you will be alerted to save the token so you can then use it to make requests to the 3scale API.

If you lose a token, we recommend that you delete it – which will disable it and render it invalid – then create a new one.

6.3. Using access tokens

When using your access token to make calls to the 3scale APIs the results will be filtered by the services you have access to.

For example, when deploying APIcast self-managed, you’ll need an access token so your APIcast API gateway can pull the configuration of the service using the Account Management API.

The way it works is if your organization has set up three services on 3scale, and as a member, you have access to Service 1, but not 2 and 3, and you also have access to the Account Management API, when you create a token and make a request to the Account Management API you will only get the applications which are using Service 1.

Following the same example, if you have access to the Account Management API, but access to zero services, when making a call, you’ll get "access denied" error.

6.3.1. Service tokens

Service tokens are used to authenticate against 3scale Service Management API. Service tokens are generated automatically when a new service is created in 3scale, and are unique per service. They are shared among the users of the 3scale account.

You can find the service tokens for the services that the user has access to in the Admin Portal’s Dashboard: Account Settings (gear icon) > Personal > Tokens.