Read-only Personal access tokens

George_A · March 31, 2023, 3:29pm

Hi there, when using the Netlify API, Personal access tokens seem to allow full access.
Is it possible to get a read-only token that could be used just for extracting site data?

(this particular user case is about allowing someone to fetch data from Netlify Forms)

Many thanks,
George

SamO · March 31, 2023, 3:55pm

Hi George,

Yes this is possible. To create a read only token you can do the following:

navigate to the “User settings” section.
click on the “Access tokens” tab and then click on the “New access token” button.
select the permissions you want to grant it. In this case, you should only grant it the “Forms” permission
“Generate token”

George_A · March 31, 2023, 3:58pm

Thank you for the speedy response.
Seems too obvious! I see no option to grant permissions when I create a new token

danielfdickinson1 · March 31, 2023, 4:02pm

I think that is a ‘Business’ class feature (Netlify Pricing and Plans says that ‘role-based access control’ is a feature of the ‘Business’ plan).

SamO · March 31, 2023, 4:09pm

Hi, @George_A daniel is right you need to be on a Business plan for specific role access. Sorry I didn’t catch that earlier.

George_A · March 31, 2023, 4:20pm

Ohhhhh well spotted. Thank you!

Joroze · May 11, 2023, 1:39pm

Hello! I’m on Enterprise and don’t see this option. I was wondering if I can get assistance enabling this. (referring to RBAC on personal access tokens)

hrishikesh · May 13, 2023, 6:38pm

I’m afraid, @danielfdickinson1’s solution is slightly off-the mark. There’s no way yet to set a read-only PAT, not on any plan. The feature that they talked about is about JWT Secret for RBAC for visitors which has nothing to do with PATs.

@Joroze, RBAC doesn’t exist for PATs yet.