Token Downgrades

Because API tokens can be used to access your account just like a real user, we proactively take steps to secure these tokens for you. For example, we automatically adjust permissions of tokens that are too broad to fit their usage.

Tokens that have higher permissions than they utilize in a 45-day window are automatically adjusted to the appropriate permission level. Additionally, tokens that are not used at all within 45 days are automatically deleted.

We will email you a notice seven days before deleting or downgrading any of your API tokens.

IP Whitelists

To further secure your token, we require you to whitelist IP addresses from which you expect to use your Read and Write token. This prevents an attacker from gaining access to your account in the event that your token is leaked or stolen. We accept IPv4 or IPv6 IPs and these addresses can be updated from the token management page. Read Only tokens do not require an IP whitelist.

Most platforms have a way to get a static IP address. For Heroku, you can use the Fixie or QuotaGuard Add-Ons. For AWS, you can use an Elastic IP address, attached to a NAT Gateway, an EC2 instance, or other resource.


Only applies to Custom tokens.

Scopes allow the API user to specify the level of access an API Token has. When creating a Custom token, select the fewest scopes needed to perform work needed.

When selecting scopes that require write access, a whitelisted IP address is required. For more information, reference the IP Whitelist section above.

At this time, scopes are not able to be edited after creating a Custom token. If you need access to different scopes, or no longer need access to a scope, it is best to create a new token with the necessary scopes needed.