Access Tokens

Default Permissions
Types of permissions
Creating Access Tokens
Revoking Access Tokens
Using Access Tokens

By default all the APIs that you create (or created by canonic) are public. That means anyone who knows the API endpoints can easily read your data. We reccommend creating auth tokens and changing the default permissions of your project to ensure that your APIs are secure.


Default Permissions

By default the APIs are public. To change the default permissions of your API

  1. Open the project that you want to edit
  2. Click on the settings icon on the left hand side to open the project settings
  3. Click on the Access Tokens tab on the left navigation.
  4. Change the default permissions by editing the default permissions field


Types of permissions

Type Description
CREATE Allows creation of entries & data
UPDATE Allows updating entries
READ Allows reading single or multiple entries
DELETE Allows deletion of entries

Creating Access Tokens

We recommend disabling all public access for your APIs and creating an authentication token with the permissions needed.

Example: When creating a website, you might want to create a READ only access token to allow your website to only read the data.

To create an access token:

  1. Open the Access Tokens page (Inside project settings).
  2. Click on the + Create a New Token to open the creation popup.
  3. Add a name and the permissions for that token and hit create.
  4. An authentication token will be generated ready for consumption.


Revoking Access Tokens

You can revoke access tokens by simply clicking on the delete icon next to the token to revoke the token. The token will be immediately revoked.

All applications using that token will no longer have access to any of your APIs.

Using Access Tokens

You can use access tokens by passing them in the header of each of your requests when accessing your APIs. The token will be validated and will only be able to access those APIs for which it has permissions.

Sample Curl Request

curl ''
  --request GET
  --header "Content-type: application/json"
  --header "authorization TOKEN_HERE"
Did you find what you were looking for?
What went wrong?
Need more help?We have a thriving Discordcommunity that can help you with all things Canonic. →