Source: https://datafa.st/docs/api/account/access-tokens/list
Markdown source: https://datafa.st/docs/api/account/access-tokens/list.md
Description: List dft_ account tokens.

# List access tokens

`GET https://datafa.st/api/v1/admin/access-tokens`

List all `dft_` account tokens created by the authenticated user. Returns masked keys only — full tokens are shown once at creation.

Requires a `dft_` account token. Website API keys cannot access this endpoint.

## Request

This endpoint does not require any path, query, or body parameters.

## Response

Returns a JSON object with `status: "success"` and endpoint-specific fields in `data`.

#### Response fields

| Field | Type | Description |
| --- | --- | --- |
| `data[]._id` | string | Token ObjectId. |
| `data[].name` | string\|null | Human-readable name for the resource or event. The exact meaning depends on the endpoint. |
| `data[].displayKey` | string | Masked token shown in the dashboard. |
| `data[].scope` | string | Token scope. Account tokens use `user`. |
| `data[].permissions` | string[] | Granted permission strings. `['*']` means full access. See [permission list](/docs/api/authentication#permissions). Example: `['analytics:read', 'websites:read']`. |
| `data[].websiteIds` | string[] | Websites this token can access. Empty array `[]` means all websites on the account. Example: `['665f0b3c4d2e1a0012345678']`. |
| `data[].lastUsedAt` | string\|null | Last usage timestamp. |
| `data[].createdAt` | string | Creation timestamp. |
| `data[].key` | string | Only returned when creating a token. Full raw token shown once. |

### Authentication

Requires a `dft_` account token with `api-keys:read`. Website API keys (`df_`) cannot call this endpoint because it manages account-level resources.

Create tokens in [Account settings → API](https://datafa.st/dashboard/settings?tab=api).

### Errors

**403** — Called with a `df_` website key.

See [API errors](/docs/api#errors) for the standard error envelope, auth failures, validation errors, permission errors, and rate limits.

## Code examples

### Example request

```bash
curl -X GET "https://datafa.st/api/v1/admin/access-tokens" \
  -H "Authorization: Bearer dft_xxx"
```

### Success response

```json
{
  "status": "success",
  "data": [{
    "_id": "665f0b3c4d2e1a0012345678",
    "name": "Read only",
    "displayKey": "dft_ab1...xyz9",
    "scope": "user",
    "permissions": ["analytics:read", "websites:read"],
    "websiteIds": ["665f0b3c4d2e1a0012345678"],
    "lastUsedAt": null,
    "createdAt": "2026-05-21T00:00:00.000Z"
  }]
}
```