Skip to main content
Use the self-service credential API to manage your own admin access tokens using API key token authentication. This page describes the endpoints that allow an authenticated application to manage its own admin access tokens. You can use these endpoints to create, list, view, and delete admin access tokens for the currently authenticated application. All operations require HTTP Basic Authentication using API key credentials. For more information about authentication methods, see the Authentication page. The self-service credential API is currently in limited release. Contact your Marqeta representative if you want to access this functionality.

Create a new admin access token

Action: POST
Endpoint: /credentials/apikeys/applications/self/accesstokens
This endpoint enables you to create a new admin access token for the application provided in the header. You can create a maximum of 20 admin access tokens per application. You must assign roles when creating a new admin access token. You can also assign an expiration date other than the 90-day default value using the expires_at field.
  • Roles - You must assign one or more roles to your admin access tokens to control their permissions. You cannot create admin access tokens with roles that are not currently assigned to the admin access token you are using to call this endpoint.
  • Expiration - When creating a new admin access token, you can set an expiration date using the expires_at parameter. The expires_at field is optional, and accepts a value between one and 365 days in the future. If you do not provide the expires_at field, the expiration of the new admin access token is set to 90 days in the future by default.
Important
Admin access token values are secret and are only returned once, at the time of creation. These secret values are found in the secret_value field of the admin access token. Record the secret value when you create a new admin access token and store it securely.

Request body

Response body

List all admin access tokens

Action: GET
Endpoint: /credentials/apikeys/applications/self/accesstokens
Retrieves a paginated list of all admin access tokens for the currently authenticated application, and only includes metadata for categories such as roles, expiration, and timestamps.
Note
The secret values of admin access tokens are never returned in list operations.
This endpoint supports pagination for admin access token sets, but not sorting.

URL query parameters

Response body

Retrieve details of the current admin access token

Action: GET
Endpoint: /credentials/apikeys/applications/self/accesstokens/self
Retrieves detailed information about the currently authenticated admin access token.
Note
The secret values of admin access tokens are never returned in list operations.

Response body

Delete current admin access token

Action: DELETE
Endpoint: /credentials/apikeys/applications/self/accesstokens/self
Deletes the currently authenticated admin access token.
Important
Deleting an admin access token does not immediately revoke the token, but rather sets the expiration date to seven days from the date of deletion. If the expiration date is already less than seven days from the date of deletion, no change to the expiration date will occur.