Introducing scoped API tokens: better security for your Apify integrations

Scoped API tokens in Apify improve security by limiting third-party access to specific resources. You can now assign flexible permissions for different tasks.

Content

We’re excited to introduce scoped API tokens, a new feature designed to give you more control and security over how third-party services access your Apify account.

Why scoped API tokens?

Integrations and programmatic control have always been at the heart of the Apify experience. For that reason, Apify has, for quite some time, offered API tokens that allow access to the Apify platform via the Apify REST API.

Historically, these API tokens granted full access to your account, often providing more permissions than necessary. With scoped API tokens, you can now limit token permissions, allowing them to access only the resources needed for a particular use case.

Whether you’re integrating Apify with external services or running automated tasks on your own, scoped API tokens provide a secure and controlled way to interact with your account.

How to create scoped API tokens

Creating a scoped API token is simple and can be done through the API & Integrations page in Apify Console. When creating a new token or updating an existing one, toggle the "Limit token permissions" option to make the token scoped.

Limit permissions of a token in Apify Console
Limiting API token permissions in Apify Console

You can then specify the token’s permissions:

  • Account-level permissions: Grant access to all resources of a specific type across your account, like allowing the token to run any Actor.
  • Resource-specific permissions: Restrict access to specific resources, such as reading from a particular dataset or writing to a single key-value store.
Configuring a token with resource-specific permissions
Configuring a token with resource-specific permissions

This flexibility allows you to grant the exact level of access needed without overexposing your account.

Use cases for scoped API tokens

Let’s take a look at a few typical use cases for scoped API tokens:

  • Use a third-party service (like Make or Zapier) to run a specific Actor, or send requests to an Actor in Standby mode. Just give your token the Run permission for the desired Actor, and you’re good to go.
  • Build Actors from your CI/CD pipeline. Here, you need a token with the account-level Build permission for Actors. That will allow it to build any Actor in your account.
  • Run an external aggregator that analyses all your datasets and uploads the results to a specific key-value store. This use case would combine account-level and resource-specific permissions: The account-level Read permission to access all datasets and the resource-specific Write for the target key-value store.
  • Regularly upload new datasets to Apify for processing. Finally, for this scenario, you would utilize the dataset Create permission. This permission has a rather special behavior, as it not only allows the token to create a new dataset (Write is not enough here), but also grants the token a full read/write access to all datasets it creates.

If you’d like to learn more about how scoped tokens work, refer to the documentation. You’ll find details on even more advanced cases, such as Actor execution or Webhook configuration.

Get started with scoped API tokens

Scoped API tokens are now available on the Apify platform. Start using them today to safeguard your data and fine-tune access across your account.

Tobiáš Potoček
Tobiáš Potoček
Ex-Google SWE and ex-Kiwi.com engineering manager back on the IC track as a backend engineer at Apify.

Get started now

Step up your web scraping and automation