# API Access Tokens
All developer credentials can be created, edited, and managed in the Developers > Credentials section in CARTO Workspace. One of the most common developer credential types in CARTO are **API Access Tokens,** which are managed in this tab.
## What are API Access Tokens?
API Access Tokens are the simplest method of authorization for a developer or an application to use the CARTO APIs. This type of token is **permanent**, meaning they are completely valid until they are deleted.
API Access Tokens can be restricted to:
* Use only specific APIs (**Allowed APIs**)
* Access only specific data sources for specific connections (**Grants**)
* Be used only by specific websites **(Referers)**
{% hint style="info" %}
API Access Tokens created by you are private and can't be modified or deleted by other users.
{% endhint %}
{% hint style="info" %}
All API Access Tokens are created using the [Tokens API](https://api-docs.carto.com/#b060994a-8dc2-4c87-8358-d3b6a7d08c5e), so tokens created in the UI are exactly the same as those created programmatically.
{% endhint %}
## Managing your API Access Tokens
After you create your first API Access Token, you will be able to view the list of existing tokens for your own user. API Access Tokens created by other users aren't shown in this list.
If you have created tokens programmatically using the Tokens API, they will also appear in this list.
### Creating an API Access Token
If you click on "Create new" a new wizard will appear, with all the necessary fields to create a new API Access Token:
**Name**
This is a unique name you can assign to your token, so you can recognize it in contexts where other tokens are displayed such as the list of tokens in Developers. If you don't add your own name, CARTO will generate one such as "*`tk_shortid`*"
**Expiration**
Defines how long the token remains valid. After the expiration date, the token is rejected by the API and can no longer be used. Expired tokens are periodically removed.
When creating a token, you can choose a preset duration (1 day, 1 week, 1 month, 1 year) or set a custom expiration date. If no expiration date is specified, the token does not expire.
The expiration date cannot be changed after the token is created.
\
**Allowed APIs**
Your token will only be able to access the APIs that you specify here.
{% hint style="info" %}
The Import API can't be selected in combination with other APIs because it writes data (instead of reading it), and their grant structure is semantically different. We recommend creating specific tokens to use the Import API.
{% endhint %}
#### **Grants**
After you specify one or more APIs, you will have to include at least one grant for those APIs to work with. As discussed, grants are specific data sources that this token will be able to access and they are tied to specific connections. Choose a connection for your grant and you will see three types of grants:
* **Table, Tileset, Raster source or Pattern**: Choose a specific table, tileset or raster source from Data Explorer, or paste the fully qualified name if you know it (eg: *`my-project.dataset.table`*). You can also paste a **wildcard pattern** to grant access to multiple resources at once. See [Wildcard patterns](#wildcard-patterns) below.
* **SQL Query source:** Write or paste in the SQL editor the specific query that this token will be able to use. This is powerful in combination with the native data warehouse SQL parameters, as described in our API documentation.
* **Named Source:** Select or type a specific [Named Source](/carto-user-manual/developers/named-sources.md) that this token should have access to. It's equivalent to a SQL query source.
* **All sources:** Choose this option if want your token to access all data available to this connection, including future tables.
{% hint style="info" %}
Not all APIs require the same type of grants. For example, Maps API accepts all types of grants, SQL API accepts "Query", "Named Source", and "All Sources", and LDS API doesn't need any grant to work.
{% endhint %}
A grant using a wildcard pattern to allow access to every CARTO_* resource in the carto.shared namespace
#### Wildcard patterns
Wildcard patterns let you grant access to multiple resources at once with a single grant, without listing each one. Use `*` in the **Table, Tileset, Raster source or Pattern** field, and the token will match any resource whose fully qualified name fits the pattern, including resources created after the token was issued.
Examples:
* `carto.shared.*` grants access to every resource under `carto.shared`.
* `carto.shared.CARTO_*` grants access only to resources in `carto.shared` whose name starts with `CARTO_`.
* `carto.*.demo_*` grants access to any `demo_*` resource across all namespaces in the `carto` project.
The exact meaning of each segment depends on your data warehouse (project, database, dataset, schema, catalog, etc.), but the pattern is matched against the full name as it would appear in a regular grant.
Patterns must contain at least one dot, so the wildcarded segment is unambiguous. Values like `*`, `**` or `table*` are rejected and Save stays disabled until the pattern is valid.
{% hint style="warning" %}
A wildcard pattern grants access to every resource it matches, current and future. Make the pattern as specific as possible to limit the scope of access.
{% endhint %}
#### **Token restrictions**
For security reasons, you may want your token to only be used by certain websites, especially if your token is going to be public, for example when sharing code snippets.
To do so, just specify a list of **Allowed Referers URLs**, separated by commas. All requests using this token from these URLs will be considered valid, while all the other requests will be rejected.
{% hint style="info" %}
The list of allowed referers should match the [Referer HTTP header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer) sent by your application. In most cases this header will include a trailing slash so make sure to include it at the end of each URL: "
Be careful when authorizing full-path referrers, for example, , as, by default, most current browsers strip the path from cross-origin requests.
{% endhint %}
### Using your new token
To use your token, simply go back to the list of available tokens, hover your mouse over the token and click on **"Copy Token"**. Your token will be copied to your clipboard and you can just use it in your API calls, as described in our [API documentation](https://api-docs.carto.com).
### Editing and deleting tokens
At any point, you can edit or delete your existing tokens. If you **edit** a token you can modify any property, from adding more grants to removing allowed referers.
{% hint style="danger" %}
If you delete a token, make sure first that it's not being used in your codebase, as they will stop working as soon as they're deleted. Deleted tokens can't be recovered.
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.carto.com/carto-user-manual/developers/managing-credentials/api-access-tokens.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.