---
title: Automation Tokens
summary: >-
  Automation tokens differ from other token types because they are not tied to a
  specific person and therefore are not subject to the lifecycle of such
  accounts. Automation tokens are sometimes also called "service accounts". They
  are designed for API automation use-cases such as continuous integration,
  deployment pipelines, or automation scripts. For more information about
  authentication tokens, review the <a
  href="https://www.fastly.com/documentation/reference/api/auth-tokens/user/">Authentication
  token</a> documentation.
url: https://www.fastly.com/documentation/reference/api/auth-tokens/automation
---

Automation tokens differ from other token types because they are not tied to a specific person and therefore are not subject to the lifecycle of such accounts. Automation tokens are sometimes also called "service accounts". They are designed for API automation use-cases such as continuous integration, deployment pipelines, or automation scripts. For more information about authentication tokens, review the <a href="https://www.fastly.com/documentation/reference/api/auth-tokens/user/">Authentication token</a> documentation.

Automation Tokens are a type of authentication token used to allow non-human clients, such as continuous integration and build systems, to perform actions via the Fastly API. Any API endpoint that requires token authentication will accept an automation token, as long as it has the required scope.

However, automation tokens can only be created by human users with the role of `superuser`, presenting a [user token](https://www.fastly.com/documentation/reference/api/auth-tokens/user/).

### Limitations

Automation tokens currently have the following limitations:

- Only users with the role of superuser can create automation tokens and must be in [sudo mode](https://www.fastly.com/documentation/reference/api/utils/sudo/).
- All [user token limitations](https://www.fastly.com/documentation/reference/api/auth-tokens/user/#limitations) also apply to automation tokens.
- Users cannot create automation token if their account has [force SSO](https://www.fastly.com/documentation/guides/account-info/user-access-and-control/setting-up-single-sign-on-sso/#requiring-sso-for-your-organization) or [MFA enabled](https://www.fastly.com/documentation/guides/account-info/account-management/managing-two-factor-authentication/#enabling-two-factor-authentication).
- They do not trigger or apply to Next-Gen WAF features and scopes.

### Error states

The following error states may be returned from token API requests.

#### POST /automation-tokens

- A response with a JSON body containing an error code is returned on error. The error codes match those defined in [Authentication Tokens](https://www.fastly.com/documentation/reference/api/auth-tokens/user/#error-states).

#### GET /automation-tokens

- An HTTP 401 response is returned on an expired token.
- An HTTP 403 response is returned on an invalid access token.

#### GET /automation-tokens/:token_id

- An HTTP 401 response is returned on an expired token.
- An HTTP 403 response is returned on an invalid access token.

#### GET /automation-tokens/:token_id/services

- An HTTP 401 response is returned on an expired token.
- An HTTP 403 response is returned on an invalid access token.

#### DELETE /automation-tokens/:token_id

- An HTTP 400 response is returned on a revocation error.
- An HTTP 401 response is returned on an expired token.
- An HTTP 403 response is returned on an invalid access token.
- An HTTP 404 response is returned on a failed token lookup.

## Data model

| Field | Type | Description |
|-------|------|-------------|
| `expires_at` | string | A UTC timestamp of when the token expires. |
| `name` | string | The name of the token. |
| `role` | string | The role on the token. |
| `scope` | string | A space-delimited list of authorization scope. |
| `services` | array | (Optional) The service IDs of the services the token will have access to. Separate service IDs with a space. If no services are specified, the token will have access to all services on the account. |
| `tls_access` | boolean | Indicates whether TLS access is enabled for the token. |
| `created_at` | string | A UTC timestamp of when the token was created. (Read-only) |
| `customer_id` | string | Alphanumeric string identifying the customer. (Read-only) |
| `id` | string | Alphanumeric string identifying a token. (Read-only) |
| `last_used_at` | string | A UTC timestamp of when the token was last used. (Read-only) |
| `user_agent` | string | The User-Agent header of the client that last used the token. |
| `user_id` | string | Alphanumeric string identifying the user. (Read-only) |
| `errors` | array |  |
| `ip` | string | The IP address of the client that last used the token. |

## API endpoints

### List Customer Automation Tokens

**GET** `/automation-tokens`

Lists all automation tokens for a customer.

**Parameters:**

| Name | Type | In | Required | Description |
|------|------|----|---------|--------------|
| `page` | integer | query | No |  |
| `per_page` | integer | query | No |  |

### Create Automation Token

**POST** `/automation-tokens`

Creates a new automation token.

### Retrieve an Automation Token by ID

**GET** `/automation-tokens/{id}`

Retrieves an automation token by ID.

**Parameters:**

| Name | Type | In | Required | Description |
|------|------|----|---------|--------------|
| `id` | string | path | Yes |  |

### Revoke an Automation Token by ID

**DELETE** `/automation-tokens/{id}`

Revoke an automation token by ID.

**Parameters:**

| Name | Type | In | Required | Description |
|------|------|----|---------|--------------|
| `id` | string | path | Yes |  |

### List Automation Token Services

**GET** `/automation-tokens/{id}/services`

List of services associated with the automation token.

**Parameters:**

| Name | Type | In | Required | Description |
|------|------|----|---------|--------------|
| `id` | string | path | Yes |  |
| `page` | integer | query | No |  |
| `per_page` | integer | query | No |  |