Source: https://datafa.st/docs/api/account/access-tokens
Markdown source: https://datafa.st/docs/api/account/access-tokens.md
Description: List, create, and revoke dft_ account tokens for CLI, scripts, and AI agents.

# Access tokens

Account tokens start with `dft_`. Use them for scripts, backend jobs, internal tools, and AI agents that need account-level access.

Create scoped tokens instead of sharing your personal token. For example, an analytics agent can get read-only permissions, while an operations agent can get funnel and alert write permissions for only one website.

> The DataFast CLI can create and use these tokens too, but the endpoints are not CLI-only.

Base path: `https://datafa.st/api/v1/admin`

| Endpoint | Method | Path | Permission | Purpose |
|---|---|---|---|---|
| [List access tokens](/docs/api/account/access-tokens/list) | GET | `/access-tokens` | `api-keys:read` | List account tokens |
| [Create access token](/docs/api/account/access-tokens/create) | POST | `/access-tokens` | `api-keys:write` | Create an account token. The raw `dft_` token is returned once |
| [Delete access token](/docs/api/account/access-tokens/delete) | DELETE | `/access-tokens/{tokenId}` | `api-keys:write` | Revoke an account token |

## Create a token

```sh
curl -X POST "https://datafa.st/api/v1/admin/access-tokens" \
  -H "Authorization: Bearer dft_xxx" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Read only agent",
    "permissions": ["analytics:read", "websites:read", "funnels:read"],
    "websiteIds": ["YOUR_WEBSITE_ID"]
  }'
```

`websiteIds: []` means all websites the token owner can access. The created token cannot exceed the caller token's permissions or website scope.

Related docs: [authentication and scopes](/docs/api/authentication), [CLI access tokens](/docs/cli-tokens), [Account API overview](/docs/api/account).

## Code examples

### Create a scoped token

```bash
curl -X POST "https://datafa.st/api/v1/admin/access-tokens" \
  -H "Authorization: Bearer dft_xxx" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Read only agent",
    "permissions": ["analytics:read", "websites:read", "funnels:read"],
    "websiteIds": ["YOUR_WEBSITE_ID"]
  }'
```

### Success response

```json
{
  "status": "success",
  "data": [
    {
      "id": "665f0b3c4d2e1a0012345678",
      "name": "Read only agent",
      "displayKey": "dft_ab1...xyz9",
      "key": "dft_full_token_shown_once",
      "permissions": ["analytics:read", "websites:read", "funnels:read"],
      "websiteIds": ["YOUR_WEBSITE_ID"]
    }
  ]
}
```