How do I generate an API token for headless or developer access?
Create a scoped API token from the Developer settings panel to give external scripts or tools controlled access to your VeloCMS blog content.
To generate an API token in VeloCMS, go to Admin → Settings → Developer → API Tokens, click New Token, choose the permission scopes your integration needs, and click Generate. Copy the token immediately — it's shown only once.
What permission scopes should I select for my token?
Always select the minimum scopes your integration actually needs — this limits the damage if the token is ever compromised. If your external site just needs to display published posts, use 'Read published posts' only. If you're running a migration script that needs to create posts, use 'Write posts'. If you're building a members-only feature that needs to verify subscriptions, add 'Read members'. The available scopes are: Read published posts, Read all posts (including drafts), Write posts, Read media, Write media, Read members, Write members, Read site settings, and Write site settings. Tokens with Write site settings should be created sparingly since that scope can change your domain, theme, and billing configuration.
How do I use the token in an API request?
Include the token in the HTTP Authorization header as a Bearer token. In JavaScript or TypeScript that looks like: fetch('https://your-pb-url/api/collections/posts/records', { headers: { 'Authorization': 'Bearer your-token-here' } }). In curl it's: curl -H 'Authorization: Bearer your-token-here' https://your-pb-url/api/collections/posts/records. For most REST clients (Postman, Insomnia, HTTPie), there's a dedicated Authorization tab where you select Bearer Token and paste your value.
What happens if I lose the token after closing the modal?
VeloCMS stores a one-way hash of the token, not the token itself — it's designed this way so even a database breach doesn't expose your tokens. This means if you close the modal without copying the token, it's gone and can't be recovered. The only option is to delete the old token and create a new one. This takes about 30 seconds and doesn't affect other active tokens. It's a good habit to immediately paste a newly generated token into your application's environment variables or secrets manager before closing the VeloCMS modal.
How do I revoke or rotate a token?
Open Admin → Settings → Developer → API Tokens. Each token appears as a row with its name, creation date, last-used date, and a Revoke button. Click Revoke to instantly invalidate that token — any API requests using it will start returning 401 Unauthorized immediately. To rotate a token (replace with a new one while minimizing downtime), create the new token first, update your integration to use the new token, verify the integration works, then revoke the old one. This zero-downtime rotation pattern avoids the brief gap that would occur if you revoked the old token before the new one was in place.
A useful naming convention for API tokens: include the integration name and the environment — for example 'Zapier integration — production' or 'Custom front-end — staging'. When you have multiple tokens it's much easier to identify which one to revoke if something goes wrong.