**Source URL:** https://limited.veevavault.dev/regulatory/vault-api/api-reference/26.2/users/api-access-tokens/generate-api-access-token.md

# Generate API Access Token



Generate an API access token for a specified Vault user. Each user can be granted up to 25 active access tokens. You cannot generate access tokens for VeevaID users. Learn more about [generating access tokens](/vault-api/explanation/api-access-tokens/#Generating_Access_Tokens).

<Endpoint path="https://{vaultDNS}/api/{version}/objects/users/{user_id}/api_access_token__sys" method="POST"></Endpoint>

## Headers {#headers}

<FieldTable>
| Name | Description |
| --- | --- |
| `Authorization` | The Vault `sessionId` or `Bearer {access_token}`. If you do not have any existing access tokens, you must use another method to [authenticate](/vault-api/api-reference/26.2/authentication) to Vault API and obtain a valid session ID. |
| `Content-Type` | `application/x-www-form-urlencoded` or `application/json` |
| `Accept` | `application/json` |
</FieldTable>

## URI Path Parameters {#uri-path-parameters}

<FieldTable>
| Name | Description |
| --- | --- |
| `vaultDNS` | The DNS of the Vault for which you want to generate a session. If the requesting user cannot successfully authenticate to this `vaultDNS`, this request generates a session for the user’s [most relevant available Vault](/vault-api/explanation/auth-defaulting). |
| `version` | The Vault API version. Your authentication version does not need to match the version in subsequent calls. For example, you can authenticate with v17.3 and run your integrations with v20.1. |
| `user_id` | The ID of the Vault user for which to generate an access token. |
</FieldTable>

## Body Parameters {#body-parameters}

<FieldTable>
| Name | Description |
| --- | --- |
| `name__v` | The name or description of the access token. |
| `expiry_date__v` | The expiration date of the access token, in `YYYY-MM-DDTHH:MM:SSZ` format. Dates and times are in UTC. If the time is not specified, it will default to before midnight (`23:59:59`) in the user's timezone on the specified date. The maximum expiration period may vary based on the user's security profile. If allowed by the user's security profile, this parameter can be omitted to indicate the access token never expires. |
</FieldTable>

## Request {#request}

<CodeExample title="">
```
curl -X POST -H "Authorization: {AUTH_VALUE}" \
-H "Content-Type: application/x-www-form-urlencoded" \
-H 'Accept: application/json' \
-d "name__v=IntegrationKey" \
-d "expiry_date__sys=2025-12-31T12:00:00:00.000Z" \
https://myvault.veevavault.com/api/v26.2/objects/users/12345/api_access_token__sys

```
</CodeExample>

## Response {#response}

<CodeExample title="">
```
{
    "responseStatus": "SUCCESS",
    "data": {
        "id": "0PI00000000C002",
        "token__sys": "veeva-vault-B5A79AAD..."
    }
}

```
</CodeExample>

## Response Details {#response-details}

On `SUCCESS`, this request returns the `id` for the access token as well as its value (`token__sys`). The access token's value is only visible upon creation and should be stored safely. If lost, you cannot recover this value and must generate a new access token for the specified user.



---

**Previous:** [API Access Tokens](/regulatory/vault-api/api-reference/26.2/users/api-access-tokens)  
**Next:** [Generate My API Access Token](/regulatory/vault-api/api-reference/26.2/users/api-access-tokens/generate-my-api-access-token)