# Create a token Creates a query token. The scope and permissions of the token are specified through the request TokenParameters object that includes a required label and expiration date and time (such as "expiration": "2025-01-15T15:30:00Z"), an optional description, along with other restrictions, such as: - Publish State - the publish state the token is restricted to (either Preview, Published, or both), for example, "publishState": ["Published"]. This property can be empty, but cannot be Unknown. - Branches - the name of the branches that token access is restricted to, for example, "branches": "main, dev, release/"]. For a prefix match, use /. This property can be empty. - Source IPs - the source IP addresses that token access is restricted to, for example, "sourceIPs": ["192.168.20.101"]. This property can be empty. - Origins - the origins that the token access is restricted to. This is a CORS feature and takes effect only when a request includes the Origin header. This property can be empty. - Introspection - whether GraphQL introspection is allowed when using this token. It is recommended that introspection only be enabled for development environments. {% admonition type="info" name="Note" %} We recommend an expiration date of one year at the most. You cannot change the expiration date after you create a token without generating a new token.{% /admonition %} Endpoint: POST /api/token/v2 Version: v2.0 Security: Bearer ## Request fields (application/json): - `label` (string) The label of the token. - `description` (string,null) The description of the token. - `managePersistedQueries` (boolean,null) Whether the token can manage persisted queries. - `expiration` (string) The expiration date and time of the token. - `restrictions` (object) Represents the restrictions associated with a token. Example: {"publishState":["Published"],"branches":["main"],"origins":["https://myapp.com"],"sourceIPs":["127.0.0.1"],"introspection":true} - `restrictions.publishState` (array) Gets or sets the publish states associated with the token. Enum: "Published", "Preview", "published", "preview" - `restrictions.branches` (array) Gets or sets the branches associated with the token. This can be an exact match with the branch ID or a prefix match. Example: ["main"] - `restrictions.sourceIPs` (array) Gets or sets the source IP addresses associated with the token. Example: ["127.0.0.1"] - `restrictions.origins` (array) Gets or sets the origins associated with the token. Example: ["https://myapp.com"] - `restrictions.introspection` (boolean) Gets or sets a value indicating whether introspection is allowed. Example: true ## Response 201 fields (application/json): - `id` (string) The unique identifier of the token. - `label` (string) The label of the token. - `description` (string) The description of the token. - `managePersistedQueries` (boolean,null) Whether the token can manage persisted queries. - `token` (string) The token string. - `expiration` (string) The expiration date and time of the token. - `restrictions` (object) Represents the restrictions associated with a token. Example: {"publishState":["Published"],"branches":["main"],"origins":["https://myapp.com"],"sourceIPs":["127.0.0.1"],"introspection":true} - `restrictions.publishState` (array) Gets or sets the publish states associated with the token. Enum: "Published", "Preview", "published", "preview" - `restrictions.branches` (array) Gets or sets the branches associated with the token. This can be an exact match with the branch ID or a prefix match. Example: ["main"] - `restrictions.sourceIPs` (array) Gets or sets the source IP addresses associated with the token. Example: ["127.0.0.1"] - `restrictions.origins` (array) Gets or sets the origins associated with the token. Example: ["https://myapp.com"] - `restrictions.introspection` (boolean) Gets or sets a value indicating whether introspection is allowed. Example: true - `system` (object) Contains system metadata and tracking information for a token. This includes creation details that are automatically populated by the system. - `system.createdAt` (string) The date and time when the token was created. - `system.createdBy` (object) - `system.createdBy.type` (string) - `system.createdBy.relatedType` (string) - `system.createdBy.id` (string) - `system.createdBy.uri` (string) ## Response 400 fields (application/json): - `type` (string,null) - `title` (string,null) - `status` (integer,null) - `detail` (string,null) - `instance` (string,null) - `errors` (object) ## Response 401 fields (application/json): - `type` (string,null) - `title` (string,null) - `status` (integer,null) - `detail` (string,null) - `instance` (string,null) ## Response 403 fields (application/json): - `type` (string,null) - `title` (string,null) - `status` (integer,null) - `detail` (string,null) - `instance` (string,null)