Automation Tokens

Automation Tokens are a type of authentication token used to allow non-human clients, such as continuous integration and build systems, to perform actions via the Fastly API. Any API endpoint that requires token authentication will accept an automation token, as long as it has the required scope.

However, automation tokens can only be created by human users with the role of superuser, presenting a user token.

Limitations

Automation tokens currently have the following limitations:

Error states

The following error states may be returned from token API requests.

POST /automation-tokens

  • A response with a JSON body containing an error code is returned on error. The error codes match those defined in Authentication Tokens.

GET /automation-tokens

  • An HTTP 401 response is returned on an expired token.
  • An HTTP 403 response is returned on an invalid access token.

GET /automation-tokens/:token_id

  • An HTTP 401 response is returned on an expired token.
  • An HTTP 403 response is returned on an invalid access token.

GET /automation-tokens/:token_id/services

  • An HTTP 401 response is returned on an expired token.
  • An HTTP 403 response is returned on an invalid access token.

DELETE /automation-tokens/:token_id

  • An HTTP 400 response is returned on a revocation error.
  • An HTTP 401 response is returned on an expired token.
  • An HTTP 403 response is returned on an invalid access token.
  • An HTTP 404 response is returned on a failed token lookup.

Automation tokens differ from other token types because they are not tied to a specific person and therefore are not subject to the lifecycle of such accounts. Automation tokens are sometimes also called "service accounts". They are designed for API automation use-cases such as continuous integration, deployment pipelines, or automation scripts. For more information about authentication tokens, review the Authentication token documentation.

Data model

expires_atstringA UTC time-stamp of when the token expires.
namestringThe name of the token.
rolestringThe role on the token.
scopestringA space-delimited list of authorization scope. [Default global]
servicesarray(Optional) The service IDs of the services the token will have access to. Separate service IDs with a space. If no services are specified, the token will have access to all services on the account.
tls_accessbooleanIndicates whether TLS access is enabled for the token.
created_atstringA UTC time-stamp of when the token was created. Read-only.
customer_idstringAlphanumeric string identifying the customer. Read-only.
deleted_atstringDate and time in ISO 8601 format. Read-only.
idstringAlphanumeric string identifying a token. Read-only.
last_used_atstringA UTC time-stamp of when the token was last used. Read-only.
updated_atstringDate and time in ISO 8601 format. Read-only.
user_agentstringThe User-Agent header of the client that last used the token.
user_idstringAlphanumeric string identifying the user. Read-only.
errorsarray
ipstringThe IP address of the client that last used the token.

Endpoints

List Customer Automation Tokens

GET/automation-tokens

Create Automation Token

POST/automation-tokens

Retrieve an Automation Token by ID

GET/automation-tokens/id

Revoke an Automation Token by ID

DELETE/automation-tokens/id

List Automation Token Services

GET/automation-tokens/id/services