Best security practices using Content Management API

I’d like to use the CMA in order to get the sys.firstPublishedAt and sys.updatedAt properties associated with my entries, but worry about using a personal access token with administrative privileges across multiple environments. I’d rather get this information from an account with the least privilege necessary, but I don’t know if there are any best practices when it comes to doing this.

Is it possible to make a read-only token to get this information? What’s the best practice here from a security perspective?

Hi @ianjmacintosh,
Your concerns about security are correct. That’s why I would suggest you to use a CDA or Preview token. I’m not sure you can catch all the information you need, but it would be surely more secure.

A simple workaround if you decide to use CDA could be to create a datetime field and a small UI extension to populate the value at publish.