Managing access tokens
Use Developer Center to create, manage, or delete your organization's developer API access tokens.
The access tokens do not expire , but administrators can revoke them depending on the project's progress.
Prerequisites
To use the Developer Center application, you need the following:
administrator privileges
Know which Arc XP APIs and environments your developers need to access.
An administrator of The Herald, an organization using Arc XP's implementation, wants to create a new access token for a junior developer who recently joined.
During the first weeks, they provide a Read only Restricted access token, allowing the developer to access the Author API and create author profiles.
After six months, the administrator revokes the developer's access token after their assignment ends.
From the Access Tokens page, the administrator can also search, manage, and remove their team access tokens.
Procedures
To create new access tokens for your developers, complete the following:
Navigate to Developer Center. The Access Tokens page opens.
Click New access token. The New access token window opens.
Select the access token type from the following:
Restricted access - use this access type to create tokens with permissions for specific API endpoints. These tokens can be shared with your developers as needed.
Tokens remain active even if a developer leaves your company, so manage token access separately from developer access.
Read only (admin) - use this access type to give administrators only read privileges.
All access (admin) - use this access type to grant administrators full writing and reading privileges for all Arc XP API endpoints.
Important
We recommend leveraging restricted access tokens for all cases.
Click Create token to confirm your choice or Cancel to stop the creation process.
Access tokens are visible only one time after creation. Store your access tokens in a secure place, such as your password manager for further reference.
Restricted access tokens are scoped to specific Arc XP applications and the recommended security solution for all scenarios. They allow you to have granular control over who can access your services, increasing your organization's security by minimizing potential risks if a token is ever compromised.
To create a Restricted access token, complete the following from the New access token pane:
Select Restricted access as the token type.
Click Create token. The Create restricted access token page opens.
Enter a Token description to help users understand what this token is for.
In the Configure endpoint access section, select the token's access level for each Arc XP application from None, Read Only, or Full Access.
In the upper right corner, click Generate token. The Generated restricted access token page opens.
Copy the generated access token and store it in your password manager for further reference.
Caution
You cannot modify a restricted access token after it is created. You must create a new restricted access token to change the permissions.
Read only (admin) access tokens provide users with read-only access to components from all Arc XP APIs, including internal notes, unpublished content, and user details.
To create a Read only (admin) token, complete the following from the New access token pane:
Select Read only (admin) as the token type.
Click Create token. The Create read-only token page opens.
Enter a Token description to help users understand what this token is for.
In the upper right corner, click Generate token. The Generated restricted access token page opens.
Copy the generated access token and store it in your password manager for further reference.
All access (admin) tokens grant complete access to all Arc XP API endpoints. These tokens are useful for applications that programmatically generate, ingest, or modify content in Arc XP without human intervention.
To create an All access (admin) token, complete the following from the New access token pane:
Select All access (admin) as the token type.
Click Create token. The Create all access token page opens.
Enter a Token description to help users understand what this token is for.
In the upper right corner, click Generate token. The Generated all access token page opens.
Copy the generated access token and store it in your password manager for further reference.
You can revoke access tokens as your project needs them. However, you must manually revoke access tokens when a user account is removed from Okta or when a user leaves your organization.
Revoking an access token cannot be undone.
In the search box, filter the tokens by description or username.
Click
> Revoke Token. The Revoke access toke confirmation message opens.Click Revoke access token.
Tip
Rotate tokens regularly. Create new tokens and revoke old ones after deploying your application to production environments to minimize the time a compromised token can be exploited.