What Are Management Tokens?
Management Tokens are stack-specific, read-write tokens, used along with the Stack API key to make authorized Content Management API (CMA) requests. These tokens are not user-specific and can be used by anyone who has access to these tokens. They can be used to make the create, read, update, and delete requests on all modules of the stack. The stack owner or admin can create such tokens.
How Are They Different from Authtokens?
An ‘Authtoken’ is also a read-write token used to make authorized CMA requests, but it is a user-specific token. This means that your personal user details are attached to every API request that you make using the ‘Authtoken’. So, if a person were to obtain access to your Authtoken, and knows the Stack API key, this person would be able to make API requests that appeared to be coming from you.
Management Tokens, on the other hand, are stack-level tokens, with no users attached to them. They can do everything that Authtokens can do. Since they are not personal tokens, no role-specific permissions are applicable to them. It is recommended to use these tokens for automation scripts, third-party app integrations, and for Single Sign On (SSO)-enabled organizations.
Why Use Management Tokens?
- A relief for SSO-enabled organizations
Since users of SSO-enabled organizations log in to the Contentstack app via Identity Providers (IdP), and not through a traditional login, they do not get an Authtoken for making CMA requests. Previously, the workaround was to disable ‘Strict Mode’, log in using the Email-password combination, and get the Authtoken. Now, Management Tokens solve this problem. Irrespective of the way you log in, you can use Management Tokens to make CMA requests. - A token for your scripts and integrations
Management Tokens can be used for automation scripts and third-party app integrations, as these tokens can perform all content management actions. This eliminates the need to share your personal Authtoken, thereby cutting down potential security risks. - On-demand expiry to mitigate risks
If your Stack Management Token has been compromised, there is an option to invalidate the token by changing the expiry date or deleting the token instantly. You can, subsequently, create and use another token as a replacement.
A Few Things to Remember:
- Management Tokens can be created only by stack owner and admin users.
- While creating a Management Token, you can define if the token should or should not have an expiry date. You can also define if the token has read-only or read-write permissions.
- A maximum of 10 tokens can be created in a stack. To create more tokens, reach out to our customer support team or your dedicated account manager.
- A Management Token can be invalidated at will (by the stack owner or admin users) by setting the expiry to the current day or by deleting the token.
- A management token cannot be used to accept/reject a received publish/unpublish request for an entry.
- A management token cannot be used to invite users to and remove users from the stack