Should I keep Access Tokens secret?

Hello :wave:
Is it okay to have access credentials like Space ID and Content Delivery API - access token in a public repository?

Hi @simonsil!

That’s not suggested. I would rather say- it’s highly recommended to not expose access tokens on public GitHub repositories and anywhere else.
We try to contact Contentful users on GitHub if see that they release Contentful access tokens publicly.

As a general rule any configuration value, even if unrelated to security, should be kept off of source control. I would always recommend committing only placeholders. That’s just a good practice that should always be followed.

That being said, allowing the public to learn your space Id and Content Delivery API (CDA) token isn’t a security issue if that space holds only content meant for public consumption. The reasons are:

  • CDA is read-only. No one can use its token to change your content, so that’s safe.
  • Content is public in this scenario, so the worst that can happen is someone very technical firing up a REST client and getting it without going through your site - which isn’t very legible, as it’s all JSON payloads

If you’re concerned about the risk of a malicious agent using that token to cause a lot of API calls, remember that the risk is no higher than that agent simply loading your site a lot of times. There’s no measurable security difference.

If your content is meant for consumption only by logged in users, on the other hand (ex: premium content for users only), then we recommend you don’t expose the CDA token and keep it server side, routing all CDA calls through there instead.

In any case, please always keep placeholders in your public repository and never actual tokens. Like I said, it’s a good practice to follow.


Great! Thank you for the detailed explanations.
I’d suggest adding these somewhere in FAQ or directly in the API section of Spaces.

I was planning on using Google’s Cloud Functions for Firebase as a way of keeping my CDA tokens off the JS client. I could probably protect the endpoint too with CORS for my domain.

But given that CDA is read only, maybe I can put it down as a lower priority for now.

1 Like