API authentication in Netlify Connect
To ensure secure access to your data, configure API authentication settings for your data layer using API tokens and scopes.
You must authenticate all requests to your data layer’s GraphQL API using a token. However, API tokens and scopes do not apply to the GraphQL sandbox — an environment that is already limited to those in your Netlify team.
To support security tracking and auditing, Netlify records all activities related to generating, updating, and revoking API tokens and scopes in the team audit log.
# Manage API tokens
To restrict access to sensitive data, create API scopes first
By default, API tokens have unrestricted access to all of your data. If you plan to restrict access to certain fields and types, you have to create the API scope first. You cannot edit an API token after you create it.
Team Owners and Developers can generate multiple API tokens for each data layer, as needed.
# Generate an API token
To generate an API token for your data layer:
- Navigate to the page for your team in the Netlify UI.
- Select the data layer from the Data layers list, and then select Data layer settings.
- On the data layer settings page, select API access control.
- In the API tokens section, select Add an API token.
- Enter an API token name.
- Select the API scope(s) for the token. You can add more than one scope to provide access to multiple data sets. If you leave this blank, the token will have unrestricted access. Unscoped types and fields are accessible to all API tokens.
- Select Generate token.
- After Netlify generates a token for you, select the clipboard icon to copy your token and then store it in a safe place. To protect your data, you won’t be able to reveal this token again.
Make sure to include the API token in the authorization header for all API requests: Authorization: Bearer <YOUR_AUTH_TOKEN>
Keep your API token secure
To keep your API token secure, we recommend that you store it in an environment variable on Netlify instead of in your repository. You can also avoid revealing the token in the browser by using the Connect client, a serverless function, or an edge function to access the variable and query the GraphQL API during runtime.
# Revoke an API token
After you revoke an API token, any client applications or scripts that use that token will no longer be able to access the data layer’s GraphQL API.
This action cannot be reversed.
To revoke an API token:
- Navigate to the page for your team in the Netlify UI.
- Select the data layer from the Data layers list, and then select Data layer settings.
- On the data layer settings page, select API access control.
- In the API tokens section, find the token you want to revoke and select Revoke.
- In the confirmation prompt that appears, review the details and then select Revoke to confirm.
# Manage API scopes
API scopes are available for select data sources
Support for API scopes is currently available for data layers that use the following data source types: Contentstack, Drupal, and Shopify. Additional support is coming soon.
API scopes allow you to restrict access to sensitive data. The first step is to create a scope for the types and fields you want to restrict. Then, you can create an API token with access to that scope.
Only API requests made with the correctly scoped API tokens can access restricted types and fields. Unscoped types and fields are accessible to all API tokens.
Note that API tokens created without a scope have unrestricted access and it’s not possible to edit their scope after you generate them.
Team Owners and Developers can add multiple API scopes for each data layer, as needed.
# Add an API scope
To add an API scope to your data layer:
Navigate to the
page for your team in the Netlify UI.Select the data layer from the Data layers list, and then select Data layer settings.
On the data layer settings page, select API access control.
In the API scopes section, select Add an API scope.
Enter a Name for the scope.
Select the types and fields for the scope. You can use the Filter field to search for specific ones.
Select Save.
When you add an API scope, Netlify automatically starts a data sync to apply the scope to the types and fields in your data layer’s schema.
You can now generate an API token and apply the new scope to it.
# Edit an API scope
To edit an API scope on your data layer:
- Navigate to the page for your team in the Netlify UI.
- Select the data layer from the Data layers list, and then select Data layer settings.
- On the data layer settings page, select API access control.
- In the API scopes section, find the scope you want to modify, and select it to reveal the details.
- Select .
- Update the scope as needed and then select Save.
When you edit an API scope, the changes immediately apply to all API tokens that use the scope, and Netlify automatically starts a data sync to update your data layer’s schema.
# Delete an API scope
When you delete an API scope, the following access changes occur:
- If you delete a scope and another one doesn’t already apply to the types and fields, the data included in the scope will be accessible by all API tokens.
- If this is the only scope on an API token, the token will only have access to unscoped types and fields moving forward.
Only Team Owners can delete API scopes. This action cannot be reversed.
To delete an API scope from your data layer:
- Navigate to the page for your team in the Netlify UI.
- Select the data layer from the Data layers list, and then select Data layer settings.
- On the data layer settings page, select API access control.
- In the API scopes section, find the scope you want to delete, and select it to reveal the details.
- Select .
- In the confirmation prompt that appears, review the details and then select Delete API scope to confirm.
When you delete an API scope, Netlify automatically starts a data sync to remove the specified scope from the types and fields in your data layer’s schema.
Did you find this doc useful?
Your feedback helps us improve our docs.