Source: https://datafa.st/docs/api/authentication Markdown source: https://datafa.st/docs/api/authentication.md Description: Choose between website API keys and account tokens, then grant the smallest access needed. # Authentication and scopes DataFast has two token types. They look similar, but they are meant for different jobs. ## Token types | Token | Name | Scope | Best for | |---|---|---|---| | `df_` | Website API key | One website | Analytics reads, visitor lookup, server-side goals, payments, identify, and selected website-scoped admin actions | | `dft_` | Account token | One account, optionally limited to specific websites | CLI, AI agents, account automation, website creation, token creation, team management, alerts, funnels, settings | ## Website API keys (`df_`) Use `df_` keys when your integration only needs one website. Create them in [Website settings -> Developer](/dashboard#website-api-key). If you are signed in, use the website selector in this docs header to switch the link to another website. ![Create a DataFast website API key](/blog-how-to-get-datafast-website-api-key.jpg.jpg) You can also create them with the CLI: ```sh datafast websites apikeys create --name "Prod key" ``` With public website endpoints, the website is inferred from the key: ```sh curl "https://datafa.st/api/v1/analytics/overview" \ -H "Authorization: Bearer df_xxx" ``` A `df_` key can also call some website-scoped Account API routes, such as listing or creating funnels for its own website. It cannot access account-level resources like `/api/v1/admin/access-tokens`, cannot create new websites, and cannot perform owner-only team actions. ## Account tokens (`dft_`) Use `dft_` tokens when a script, CLI session, or AI agent needs broader account access. Create them in [Account settings -> API](https://datafa.st/dashboard/settings?tab=api). ![Create a DataFast account API token](/blog-how-to-get-datafast-account-api-key.jpg) You can also create them with the CLI: ```sh datafast tokens create --name "AI agent" --permissions "analytics:read,websites:read,funnels:write,alerts:write" ``` Account tokens can be limited by: - **Permissions:** for example `analytics:read`, `websites:write`, `funnels:write`, or `*` - **Website scope:** all websites by default, or a fixed list of website IDs - **Your role on the website:** viewers are read-only, members can manage most website settings, and owners can manage team members When you use a `dft_` token with public website endpoints, pass `websiteId` so DataFast knows which website to query: ```sh curl "https://datafa.st/api/v1/analytics/overview?websiteId=YOUR_WEBSITE_ID" \ -H "Authorization: Bearer dft_xxx" ``` Admin endpoints include the website in the path: ```sh curl "https://datafa.st/api/v1/admin/websites/YOUR_WEBSITE_ID/funnels" \ -H "Authorization: Bearer dft_xxx" ``` ## Permissions Use the smallest permission set that can do the job. | Permission | Allows | |---|---| | `analytics:read` | Analytics, visitors, realtime, metadata, funnel analytics | | `goals:write` | Create or delete custom goal events | | `payments:write` | Create or delete payment events | | `identify:write` | Identify visitors from your backend | | `websites:read` / `websites:write` | List and create websites | | `settings:read` / `settings:write` | Read and update website settings, connect integrations | | `api-keys:read` / `api-keys:write` | List, create, roll, or revoke website API keys and account tokens | | `funnels:read` / `funnels:write` | List, create, update, or delete funnels | | `alerts:read` / `alerts:write` | List, create, update, or delete alerts | | `team:read` / `team:write` | List, invite, or remove team members. Invite and remove are owner-only | | `*` | Full access | ## For AI agents For an AI agent that should inspect analytics but not change data, use: ```txt analytics:read,websites:read,settings:read,alerts:read,funnels:read,goals:read ``` For an AI agent that can manage growth workflows, add write permissions only for the resources it should change: ```txt analytics:read,websites:read,settings:write,funnels:write,alerts:write,api-keys:read ``` Use [Account API](/docs/api/account) for REST automation, or [DataFast CLI](/docs/cli-introduction) if the agent can run shell commands.