Access tokens

Try on Playground

Account tokens start with dft_. Use them for scripts, backend jobs, internal tools, and AI agents that need account-level access.

Create scoped tokens instead of sharing your personal token. For example, an analytics agent can get read-only permissions, while an operations agent can get funnel and alert write permissions for only one website.

The DataFast CLI can create and use these tokens too, but the endpoints are not CLI-only.

Base path: https://datafa.st/api/v1/admin

Endpoint	Method	Path	Permission	Purpose
List access tokens	GET	`/access-tokens`	`api-keys:read`	List account tokens
Create access token	POST	`/access-tokens`	`api-keys:write`	Create an account token. The raw `dft_` token is returned once
Delete access token	DELETE	`/access-tokens/{tokenId}`	`api-keys:write`	Revoke an account token

Create a token

curl -X POST "https://datafa.st/api/v1/admin/access-tokens" \
  -H "Authorization: Bearer dft_xxx" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Read only agent",
    "permissions": ["analytics:read", "websites:read", "funnels:read"],
    "websiteIds": ["YOUR_WEBSITE_ID"]
  }'

websiteIds: [] means all websites the token owner can access. The created token cannot exceed the caller token's permissions or website scope.

✍️ Something missing? Suggest features.

🤖 AI agent or LLM? Read this page as markdown

curl -X POST "https://datafa.st/api/v1/admin/access-tokens" \ -H "Authorization: Bearer dft_xxx" \ -H "Content-Type: application/json" \ -d '{ "name": "Read only agent", "permissions": ["analytics:read", "websites:read", "funnels:read"], "websiteIds": ["YOUR_WEBSITE_ID"] }'

{ "status": "success", "data": [ { "id": "665f0b3c4d2e1a0012345678", "name": "Read only agent", "displayKey": "dft_ab1...xyz9", "key": "dft_full_token_shown_once", "permissions": ["analytics:read", "websites:read", "funnels:read"], "websiteIds": ["YOUR_WEBSITE_ID"] } ] }