Contentful logo

Contentful Community

Best security practices using Content Management API

I’d like to use the CMA in order to get the sys.firstPublishedAt and sys.updatedAt properties associated with my entries, but worry about using a personal access token with administrative privileges across multiple environments. I’d rather get this information from an account with the least privilege necessary, but I don’t know if there are any best practices when it comes to doing this.

Is it possible to make a read-only token to get this information? What’s the best practice here from a security perspective?

Hi @ianjmacintosh,
Your concerns about security are correct. That’s why I would suggest you to use a CDA or Preview token. I’m not sure you can catch all the information you need, but it would be surely more secure.

A simple workaround if you decide to use CDA could be to create a datetime field and a small UI extension to populate the value at publish.