API Access Tokens

API users can authenticate to Vault API using an API access token. When a user is granted permission to Vault API, they can generate an access token to make requests to Vault API. An access token does not give the user access to the Vault UI and is specific to a single Vault.

Access token values always begin with veeva-vault- followed by a randomized string. Instead of initiating a session with a user name and password, users can provide the value of their access token in place of the session ID when making calls to Vault API. The Authorization HTTP header accepts the access token value preceded by the Bearer keyword.

The following request example utilizes an access token to retrieve an object's metadata:

Copy to clipboard

curl -X GET -H "Authorization: Bearer veeva-vault-B5A79AAD..." \
https://myvault.veevavault.com/api/v26.2/metadata/vobjects/product__v

Generating Access Tokens

Section link for Generating Access Tokens

Users can grant themselves access tokens via the Vault UI or Vault API. API users can use the API Access Token endpoints to generate access tokens. When generating an access token, you have the option of providing an expiration date.

Warning

The API Access Token endpoints return the newly generated access token's value in their response. Its value is only visible upon its creation and should be stored safely. If lost, you cannot recover this value and must generate a new API token.

Each user can be granted up to 25 active access tokens. Access tokens become inactive when they expire or are deleted.

Retrieving Access Token Metadata

Section link for Retrieving Access Token Metadata

Use the Retrieve Object Record endpoint or send a VQL query to retrieve metadata for an existing access token (api_access_token__sys), including its ID. Users are only capable of reading the metadata for their own tokens, while Admins with the appropriate permissions can retrieve the metadata for any user's access tokens.

Deleting Access Tokens

Section link for Deleting Access Tokens

To delete an access token using Vault API, send a request to the Delete Object Records endpoint. Users are capable of deleting their own tokens; however, they must have the appropriate permissions in order to delete other users' access tokens. This operation can also be performed from a user's profile page in Vault.

Access Token Retention

Section link for Access Token Retention

Access tokens and their values are not always retained when performing certain Vault operations.

The following table outlines the affected operations:

Operation	Token Retention Behavior
Creating a sandbox from a production Vault	Access token values are not copied over to the new sandbox Vault. They must be recreated with the Generate API Access Token for Sandbox endpoint.
Refreshing a sandbox	Access tokens and their values are copied over to the refreshed sandbox.
Promoting a pre-production Vault to production	Access tokens are not copied over to the production Vault.
Converting an existing user to VeevaID	Access tokens for that user are deleted.