Self-Service Credentials

Use the self-service credential API to manage your own admin access tokens using API key token authentication. This page describes the endpoints that allow an authenticated application to manage its own admin access tokens. You can use these endpoints to create, list, view, and delete admin access tokens for the currently authenticated application. All operations require HTTP Basic Authentication using API key credentials. For more information about authentication methods, see the Authentication page. The self-service credential API is currently in limited release. Contact your Marqeta representative if you want to access this functionality.

Create a new admin access token

Action: POST
Endpoint: /credentials/apikeys/applications/self/accesstokens This endpoint enables you to create a new admin access token for the application provided in the header. You can create a maximum of 20 admin access tokens per application. You must assign roles when creating a new admin access token. You can also assign an expiration date other than the 90-day default value using the expires_at field.

Roles - You must assign one or more roles to your admin access tokens to control their permissions. You cannot create admin access tokens with roles that are not currently assigned to the admin access token you are using to call this endpoint.
Expiration - When creating a new admin access token, you can set an expiration date using the expires_at parameter. The expires_at field is optional, and accepts a value between one and 365 days in the future. If you do not provide the expires_at field, the expiration of the new admin access token is set to 90 days in the future by default.

Important
Admin access token values are secret and are only returned once, at the time of creation. These secret values are found in the secret_value field of the admin access token. Record the secret value when you create a new admin access token and store it securely.

Request body

Fields	Description
roles array of strings Required	List of roles assigned to an admin access token. Allowable Values: `read`, `write`, `pci`, `program-manager` Format: `["read", "write"]`
expires_at datetime Optional	Date and time of admin access token expiration, using ISO-8601 format. Allowable Values: Format: yyyy-MM-ddThh:mm:ssZ

Response body

Fields	Description
token_id string Conditionally returned	Unique identifier of the admin access token. Allowable Values: 255 char max
roles array of strings Conditionally returned	List of roles assigned to the admin access token. Allowable Values: `read`, `write`, `pci`, `program-manager` Format: `["read", "write"]`
expires_at datetime Conditionally returned	Date and time of admin access token expiration (if applicable), in UTC. Allowable Values: Format: yyyy-MM-ddThh:mm:ssZ
created_at datetime Conditionally returned	Date and time when the admin access token was created, in UTC. Allowable Values: Format: yyyy-MM-ddThh:mm:ssZ
secret_value string Conditionally returned	Actual admin access token secret value to be used for authentication. This secret value is only returned at time of admin access token creation. Allowable Values: 255 char max

List all admin access tokens

Action: GET
Endpoint: /credentials/apikeys/applications/self/accesstokens Retrieves a paginated list of all admin access tokens for the currently authenticated application, and only includes metadata for categories such as roles, expiration, and timestamps.

Note
The secret values of admin access tokens are never returned in list operations.

This endpoint supports pagination for admin access token sets, but not sorting.

URL query parameters

Fields	Description
count integer Optional	Maximum number of items to return. Default value is 20. Allowable Values: 0–20
start_index integer Optional	Number of items to skip before collecting the result set. Default value is 0. Allowable Values: 0 min

Response body

Fields	Description
data array of undefineds Conditionally returned	List of admin access tokens. Allowable Values: Valid admin access token
data[].token_id string Conditionally returned	Unique identifier of the admin access token. Allowable Values: 255 char max
data[].roles array of strings Conditionally returned	List of roles assigned to the admin access token. Allowable Values: `read`, `write`, `pci`, `program-manager` Format: `["read", "write"]`
data[].expires_at datetime Conditionally returned	Date and time of admin access token expiration (if applicable), in UTC. Allowable Values: Format: yyyy-MM-ddThh:mm:ssZ
data[].created_at datetime Conditionally returned	Date and time when the admin access token was created, in UTC. Allowable Values: Format: yyyy-MM-ddThh:mm:ssZ

Retrieve details of the current admin access token

Action: GET
Endpoint: /credentials/apikeys/applications/self/accesstokens/self Retrieves detailed information about the currently authenticated admin access token.

Note
The secret values of admin access tokens are never returned in list operations.

Response body

Fields	Description
token_id string Conditionally returned	Unique identifier of the admin access token. Allowable Values: 255 char max
roles array of strings Conditionally returned	List of roles assigned to the admin access token. Allowable Values: `read`, `write`, `pci`, `program-manager` Format: `["read", "write"]`
expires_at datetime Conditionally returned	Date and time of admin access token expiration (if applicable), in UTC. Allowable Values: Format: yyyy-MM-ddThh:mm:ssZ
created_at datetime Conditionally returned	Date and time when the admin access token was created, in UTC. Allowable Values: Format: yyyy-MM-ddThh:mm:ssZ

Delete current admin access token

Action: DELETE
Endpoint: /credentials/apikeys/applications/self/accesstokens/self Deletes the currently authenticated admin access token.

Important
Deleting an admin access token does not immediately revoke the token, but rather sets the expiration date to seven days from the date of deletion. If the expiration date is already less than seven days from the date of deletion, no change to the expiration date will occur.

Core API Basics

SDKs

Credentials

Account Holders

Funding

Just-in-Time Funding

Cards

Digital Wallets

Spend Control

Accounts

Transactions

3D Secure

Real-Time Decisioning

Disputes

Digital Banking

Credit Programs

Credit Account Management

Credit Account Servicing

Credit Reward Accounts

Testing

Webhooks

Self-Service Credentials

Create a new admin access token

Request body

Response body

List all admin access tokens

URL query parameters

Response body

Retrieve details of the current admin access token

Response body

Delete current admin access token

Core API Basics

SDKs

Credentials

Account Holders

Funding

Just-in-Time Funding

Cards

Digital Wallets

Spend Control

Accounts

Transactions

3D Secure

Real-Time Decisioning

Disputes

Digital Banking

Credit Programs

Credit Account Management

Credit Account Servicing

Credit Reward Accounts

Testing

Webhooks

​Create a new admin access token

​Request body

​Response body

​List all admin access tokens

​URL query parameters

​Response body

​Retrieve details of the current admin access token

​Response body

​Delete current admin access token

Create a new admin access token

Request body

Response body

List all admin access tokens

URL query parameters

Response body

Retrieve details of the current admin access token

Response body

Delete current admin access token