Token Downgrades
Because API tokens can be used to access your account just like a real user, we proactively take steps to secure these tokens for you. For example, we automatically adjust permissions of tokens that are too broad to fit their usage.
Tokens that have higher permissions than they utilize in a 45-day window are automatically adjusted to the appropriate permission level.
We will email you a notice seven days before downgrading any of your API tokens. This email will go to all admins on your account.
Token Automatic Deletions
Tokens that are not used within any 45 day period are automatically deleted. To keep your API token alive, feel free to hit any endpoint within the api every 45 days.
We will email you a notice seven days before deleting of your API tokens. This email will go to all admins on your account.
IP Whitelists
To further secure your token, we require you to whitelist IP addresses from which you expect to use your Read and Write token. This prevents an attacker from gaining access to your account in the event that your token is leaked or stolen. We accept IPv4 or IPv6 IPs and these addresses can be updated from the token management page. Read Only tokens do not require an IP whitelist.
Most platforms have a way to get a static IP address. For Heroku, you can use the Fixie or QuotaGuard Add-Ons. For AWS, you can use an Elastic IP address, attached to a NAT Gateway, an EC2 instance, or other resource.
Scopes
Only applies to Custom tokens.
Custom tokens.Scopes allow the API user to specify the level of access an API Token has. When creating a Custom token, select the fewest scopes needed to perform work needed.
When selecting scopes that require write access, a whitelisted IP address is required. For more information, reference the IP Whitelist section above.
At this time, scopes are not able to be edited after creating a Custom token. If you need access to different scopes, or no longer need access to a scope, it is best to create a new token with the necessary scopes needed.