> ## Documentation Index
> Fetch the complete documentation index at: https://www.marqeta.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Self-Service Credentials

> Use the self-service credential API to create, retrieve, and delete admin access tokens.

export const EndpointCard = ({method = "API", title, children, href, arrow = true}) => {
  const METHOD_STYLES = {
    GET: {
      bg: "mint-bg-green-400/20 dark:mint-bg-green-400/20",
      text: "mint-text-green-700 dark:mint-text-green-400",
      border: "mint-border-green-300 dark:mint-border-green-700"
    },
    POST: {
      bg: "mint-bg-blue-400/20 dark:mint-bg-blue-400/20",
      text: "mint-text-blue-700 dark:mint-text-blue-400"
    },
    PUT: {
      bg: "mint-bg-yellow-400/20 dark:mint-bg-yellow-400/20",
      text: "mint-text-yellow-700 dark:mint-text-yellow-400"
    },
    PATCH: {
      bg: "mint-bg-orange-400/20 dark:mint-bg-orange-400/20",
      text: "mint-text-orange-700 dark:mint-text-orange-400"
    },
    DELETE: {
      bg: "mint-bg-red-400/20 dark:mint-bg-red-400/20",
      text: "mint-text-red-700 dark:mint-text-red-400"
    },
    API: {
      bg: "mint-bg-black",
      text: "mint-text-white"
    }
  };
  const MethodBadge = ({method}) => {
    const style = METHOD_STYLES[method?.toUpperCase()] ?? METHOD_STYLES.GET;
    return <span className={`
          method-pill rounded-lg font-semibold px-1.5 py-0.5 text-xs leading-5 ${style.bg} ${style.text}`}>
        {method?.toUpperCase()}
      </span>;
  };
  const content = <div className="group flex items-center gap-4 border border-gray-200 dark:border-gray-700 rounded-xl p-5 hover:border-gray-400 dark:hover:border-gray-500 hover:shadow-md transition-all cursor-pointer">
      {}
      <div className="shrink-0">
        <MethodBadge method={method} />
      </div>
      {}
      <div className="flex-1 min-w-0">
        <p className="font-semibold text-gray-900 dark:text-white text-sm leading-snug">{title}</p>
        {children && <p className="mt-1 text-sm text-gray-500 dark:text-gray-400 line-clamp-2">{children}</p>}
      </div>
    </div>;
  if (!href) return content;
  return <a href={href} className="block no-underline border-b-0 mb-2">
      {content}
    </a>;
};

Use the self-service credential API to manage your own admin access tokens using API key token authentication.

This page describes the endpoints that allow an authenticated application to manage its own admin access tokens. You can use these endpoints to create, list, view, and delete admin access tokens for the currently authenticated application.

All operations require HTTP Basic Authentication using API key credentials. For more information about authentication methods, see the [Authentication](/core-api/authentication/) page.

The self-service credential API is currently in limited release. Contact your Marqeta representative if you want to access this functionality.

<h2 id="create_self_api_key_access_token">
  Create a new admin access token
</h2>

**Action:** `POST`\
**Endpoint:** `/credentials/apikeys/applications/self/accesstokens`

{/* <EndpointCard
title="Create a new admin access token"
path="/credentials/apikeys/applications/self/accesstokens"
method="post"
/> */}

This endpoint enables you to create a new admin access token for the application provided in the header. You can create a maximum of 20 admin access tokens per application.

You must assign roles when creating a new admin access token. You can also assign an expiration date other than the 90-day default value using the `expires_at` field.

* Roles - You must assign one or more roles to your admin access tokens to control their permissions. You cannot create admin access tokens with roles that are not currently assigned to the admin access token you are using to call this endpoint.

* Expiration - When creating a new admin access token, you can set an expiration date using the `expires_at` parameter. The `expires_at` field is optional, and accepts a value between one and 365 days in the future. If you do not provide the `expires_at` field, the expiration of the new admin access token is set to 90 days in the future by default.

<Warning>
  **Important**\
  Admin access token values are secret and are only returned once, at the time of creation. These secret values are found in the `secret_value` field of the admin access token. Record the secret value when you create a new admin access token and store it securely.
</Warning>

<h3 id="_request_body">
  Request body
</h3>

| Fields                                                | Description                                                                                                                                                                                  |
| ----------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| roles<br /><br />array of strings<br /><br />Required | List of roles assigned to an admin access token.<br /><br />**Allowable Values:**<br /><br />`read`, `write`, `pci`, `program-manager`<br /><br />**Format:**<br /><br />`["read", "write"]` |
| expires\_at<br /><br />datetime<br /><br />Optional   | Date and time of admin access token expiration, using ISO-8601 format.<br /><br />**Allowable Values:**<br /><br />**Format:**<br /><br />yyyy-MM-ddThh:mm:ssZ                               |

<h3 id="_response_body">
  Response body
</h3>

| Fields                                                              | Description                                                                                                                                                                                               |
| ------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| token\_id<br /><br />string<br /><br />Conditionally returned       | Unique identifier of the admin access token.<br /><br />**Allowable Values:**<br /><br />255 char max                                                                                                     |
| roles<br /><br />array of strings<br /><br />Conditionally returned | List of roles assigned to the admin access token.<br /><br />**Allowable Values:**<br /><br />`read`, `write`, `pci`, `program-manager`<br /><br />**Format:**<br /><br />`["read", "write"]`             |
| expires\_at<br /><br />datetime<br /><br />Conditionally returned   | Date and time of admin access token expiration (if applicable), in UTC.<br /><br />**Allowable Values:**<br /><br />**Format:**<br /><br />yyyy-MM-ddThh:mm:ssZ                                           |
| created\_at<br /><br />datetime<br /><br />Conditionally returned   | Date and time when the admin access token was created, in UTC.<br /><br />**Allowable Values:**<br /><br />**Format:**<br /><br />yyyy-MM-ddThh:mm:ssZ                                                    |
| secret\_value<br /><br />string<br /><br />Conditionally returned   | Actual admin access token secret value to be used for authentication. This secret value is only returned at time of admin access token creation.<br /><br />**Allowable Values:**<br /><br />255 char max |

<h2 id="list_self_api_key_access_tokens">
  List all admin access tokens
</h2>

**Action:** `GET`\
**Endpoint:** `/credentials/apikeys/applications/self/accesstokens`

{/* <EndpointCard
title="List all admin access tokens"
path="/credentials/apikeys/applications/self/accesstokens"
method="get"
/> */}

Retrieves a paginated list of all admin access tokens for the currently authenticated application, and only includes metadata for categories such as roles, expiration, and timestamps.

<Note>
  **Note**\
  The secret values of admin access tokens are never returned in list operations.
</Note>

This endpoint supports [pagination](/core-api/sorting-and-pagination/) for admin access token sets, but not sorting.

<h3 id="_url_query_parameters">
  URL query parameters
</h3>

| Fields                                              | Description                                                                                                                                |
| --------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ |
| count<br /><br />integer<br /><br />Optional        | Maximum number of items to return.<br /><br />Default value is 20.<br /><br />**Allowable Values:**<br /><br />0–20                        |
| start\_index<br /><br />integer<br /><br />Optional | Number of items to skip before collecting the result set.<br /><br />Default value is 0.<br /><br />**Allowable Values:**<br /><br />0 min |

<h3 id="_response_body_2">
  Response body
</h3>

| Fields                                                                          | Description                                                                                                                                                                                   |
| ------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| data<br /><br />array of undefineds<br /><br />Conditionally returned           | List of admin access tokens.<br /><br />**Allowable Values:**<br /><br />Valid admin access token                                                                                             |
| data\[].**token\_id**<br /><br />string<br /><br />Conditionally returned       | Unique identifier of the admin access token.<br /><br />**Allowable Values:**<br /><br />255 char max                                                                                         |
| data\[].**roles**<br /><br />array of strings<br /><br />Conditionally returned | List of roles assigned to the admin access token.<br /><br />**Allowable Values:**<br /><br />`read`, `write`, `pci`, `program-manager`<br /><br />**Format:**<br /><br />`["read", "write"]` |
| data\[].**expires\_at**<br /><br />datetime<br /><br />Conditionally returned   | Date and time of admin access token expiration (if applicable), in UTC.<br /><br />**Allowable Values:**<br /><br />**Format:**<br /><br />yyyy-MM-ddThh:mm:ssZ                               |
| data\[].**created\_at**<br /><br />datetime<br /><br />Conditionally returned   | Date and time when the admin access token was created, in UTC.<br /><br />**Allowable Values:**<br /><br />**Format:**<br /><br />yyyy-MM-ddThh:mm:ssZ                                        |

<h2 id="get_self_api_key_access_token">
  Retrieve details of the current admin access token
</h2>

**Action:** `GET`\
**Endpoint:** `/credentials/apikeys/applications/self/accesstokens/self`

{/* <EndpointCard
title="Retrieve details of the current admin access token"
path="/credentials/apikeys/applications/self/accesstokens/self"
method="get"
/> */}

Retrieves detailed information about the currently authenticated admin access token.

<Note>
  **Note**\
  The secret values of admin access tokens are never returned in list operations.
</Note>

<h3 id="_response_body_3">
  Response body
</h3>

| Fields                                                              | Description                                                                                                                                                                                   |
| ------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| token\_id<br /><br />string<br /><br />Conditionally returned       | Unique identifier of the admin access token.<br /><br />**Allowable Values:**<br /><br />255 char max                                                                                         |
| roles<br /><br />array of strings<br /><br />Conditionally returned | List of roles assigned to the admin access token.<br /><br />**Allowable Values:**<br /><br />`read`, `write`, `pci`, `program-manager`<br /><br />**Format:**<br /><br />`["read", "write"]` |
| expires\_at<br /><br />datetime<br /><br />Conditionally returned   | Date and time of admin access token expiration (if applicable), in UTC.<br /><br />**Allowable Values:**<br /><br />**Format:**<br /><br />yyyy-MM-ddThh:mm:ssZ                               |
| created\_at<br /><br />datetime<br /><br />Conditionally returned   | Date and time when the admin access token was created, in UTC.<br /><br />**Allowable Values:**<br /><br />**Format:**<br /><br />yyyy-MM-ddThh:mm:ssZ                                        |

<h2 id="delete_self_api_key_access_token">
  Delete current admin access token
</h2>

**Action:** `DELETE`\
**Endpoint:** `/credentials/apikeys/applications/self/accesstokens/self`

{/* <EndpointCard
title="Delete current admin access token"
path="/credentials/apikeys/applications/self/accesstokens/self"
method="delete"
/> */}

Deletes the currently authenticated admin access token.

<Warning>
  **Important**\
  Deleting an admin access token does not immediately revoke the token, but rather sets the expiration date to seven days from the date of deletion. If the expiration date is already less than seven days from the date of deletion, no change to the expiration date will occur.
</Warning>
