Automation Tokens
Automation tokens differ from other token types because they are not tied to a specific person and therefore are not subject to the lifecycle of such accounts. Automation tokens are sometimes also called "service accounts". They are designed for API automation use-cases such as continuous integration, deployment pipelines, or automation scripts. For more information about authentication tokens, review the Authentication token documentation.
Automation Tokens are a type of authentication token used to allow non-human clients, such as continuous integration and build systems, to perform actions via the Fastly API. Any API endpoint that requires token authentication will accept an automation token, as long as it has the required scope.
However, automation tokens can only be created by human users with the role of superuser
, presenting a user token.
Limitations
Automation tokens currently have the following limitations:
- Only users with the role of superuser can create automation tokens and must be in sudo mode.
- All user token limitations also apply to automation tokens.
- Users cannot create automation token if their account has force SSO or MFA enabled.
Error states
The following error states may be returned from token API requests.
POST /automation-tokens
- A response with a JSON body containing an error code is returned on error. The error codes match those defined in Authentication Tokens.
GET /automation-tokens
- An HTTP 401 response is returned on an expired token.
- An HTTP 403 response is returned on an invalid access token.
GET /automation-tokens/:token_id
- An HTTP 401 response is returned on an expired token.
- An HTTP 403 response is returned on an invalid access token.
GET /automation-tokens/:token_id/services
- An HTTP 401 response is returned on an expired token.
- An HTTP 403 response is returned on an invalid access token.
DELETE /automation-tokens/:token_id
- An HTTP 400 response is returned on a revocation error.
- An HTTP 401 response is returned on an expired token.
- An HTTP 403 response is returned on an invalid access token.
- An HTTP 404 response is returned on a failed token lookup.
Data model
expires_at | string | A UTC time-stamp of when the token expires. | |
name | string | The name of the token. | |
role | string | The role on the token. | |
scope | string | A space-delimited list of authorization scope. [Default global ] | |
services | array | (Optional) The service IDs of the services the token will have access to. Separate service IDs with a space. If no services are specified, the token will have access to all services on the account. | |
tls_access | boolean | Indicates whether TLS access is enabled for the token. | |
created_at | string | A UTC time-stamp of when the token was created. Read-only. | |
customer_id | string | Alphanumeric string identifying the customer. Read-only. | |
deleted_at | string | Date and time in ISO 8601 format. Read-only. | |
id | string | Alphanumeric string identifying a token. Read-only. | |
last_used_at | string | A UTC time-stamp of when the token was last used. Read-only. | |
updated_at | string | Date and time in ISO 8601 format. Read-only. | |
user_agent | string | The User-Agent header of the client that last used the token. | |
user_id | string | Alphanumeric string identifying the user. Read-only. | |
errors | array | ||
ip | string | The IP address of the client that last used the token. |