What access tokens are for
Access tokens let external applications (your own scripts, integrations, analytics tools, or webhook processors) read data from your store via the Storeep API. Each token has a limited permission set and an optional expiry date. Tokens are safer than sharing your account credentials because they can be scoped to only what the integration needs and revoked individually at any time.
To manage tokens, go to Settings → Access tokens. A View documentation button in the panel links to the API reference.
Token limits
- Maximum 40 access tokens per store. The Create new token button is hidden when this limit is reached.
- Tokens are listed newest-first, paginated at 20 per page.
Creating a token
Click Create new token, fill in the form, and click Create.
Token name
- Required.
- Maximum 50 characters.
- Used only for identification in the tokens list. It is never sent to third parties.
Permissions
Select at least one of the four available permission scopes. Each scope is independent:
- Read products: access product listings, details, variants, and inventory data.
- Read orders: access order history, details, statuses, and line items.
- Read webhooks: view webhook configurations and delivery logs.
- Manage webhooks: create, update, and delete webhook subscriptions.
You must select at least one scope. Any scope not selected is inaccessible to that token even if the API endpoint exists.
Data access
This setting controls how far back in time the token can access your data. Choose the most restrictive option that still fits your integration's needs.
- Last 24 hours (default): the token can only access data from the last 24 hours. Recommended for real-time integrations such as live order feeds.
- Set start date: the token can access data from a specific calendar date onwards. When selected, a Data access start date date picker appears where you choose the start date.
- All time: no date restriction. The token can access all historical data. Use only when the integration genuinely needs full history.
Expiration
- Never expires (default): the token is valid indefinitely until manually deleted.
- Set expiration date: when selected, an Expiration date date picker appears. The date must be at least one day in the future and at most one year from today. After the expiration date, the token stops working automatically.
Token value
After clicking Create, the token value is shown once in a success message. Copy and store it securely. Storeep cannot show it again. If you lose it, delete the token and create a new one.
Editing a token
Click a token row to edit its name, permissions, data access mode, and expiration date. You cannot retrieve or change the token value itself. Editing only changes the settings associated with the existing token.
The tokens list columns
- Name: the label you gave the token, with its creation date below.
- Permissions: a list of the granted scopes.
- Data access: shows Last 24 hours, All data, or From [date] depending on the mode.
- Expiration: the expiry date, or Never.
- Last used: the date and time the token was last used to make an authenticated API request, or Never.
Deleting a token
Select one or more tokens and click Delete tokens. Deleted tokens are invalidated immediately. Any integration using a deleted token will start receiving authentication errors.
Security tips
- Grant only the minimum permissions required for each integration.
- Use Last 24 hours data access for webhooks and real-time feeds; use Set start date for scheduled sync jobs.
- Set an expiration date for tokens given to short-term contractors or one-time integrations.
- Monitor the Last used column. A token that has never been used or has not been used recently may belong to an inactive integration and can safely be deleted.