List access tokens

GET https://datafa.st/api/v1/admin/access-tokens

List all dft_ account tokens created by the authenticated user. Returns masked keys only — full tokens are shown once at creation.

Requires a dft_ account token. Website API keys cannot access this endpoint.

Request

This endpoint does not require any path, query, or body parameters.

Response

Returns a JSON object with status: "success" and endpoint-specific fields in data.

Response fields

data[]._id

string

Token ObjectId.

data[].name

string|null

Human-readable name for the resource or event. The exact meaning depends on the endpoint.

data[].displayKey

string

Masked token shown in the dashboard.

data[].scope

string

Token scope. Account tokens use user.

data[].permissions

string[]

Granted permission strings. ['*'] means full access. See permission list. Example: ['analytics:read', 'websites:read'].

data[].websiteIds

string[]

Websites this token can access. Empty array [] means all websites on the account. Example: ['665f0b3c4d2e1a0012345678'].

data[].lastUsedAt

string|null

Last usage timestamp.

data[].createdAt

string

Creation timestamp.

data[].key

string

Only returned when creating a token. Full raw token shown once.

Authentication

Requires a dft_ account token with api-keys:read. Website API keys (df_) cannot call this endpoint because it manages account-level resources.

Create tokens in Account settings → API.

Errors

403 — Called with a df_ website key.

See API errors for the standard error envelope, auth failures, validation errors, permission errors, and rate limits.

✍️ Something missing? Suggest features.

🤖 AI agent or LLM? Read this page as markdown

{ "status": "success", "data": [{ "_id": "665f0b3c4d2e1a0012345678", "name": "Read only", "displayKey": "dft_ab1...xyz9", "scope": "user", "permissions": ["analytics:read", "websites:read"], "websiteIds": ["665f0b3c4d2e1a0012345678"], "lastUsedAt": null, "createdAt": "2026-05-21T00:00:00.000Z" }] }