**Source URL:** https://limited.veevavault.dev/regulatory/vault-api/explanation/api-access-tokens.md

# API Access Tokens



API users can authenticate to Vault API using an API access token. When a user is granted permission to Vault API, they can generate an access token to make requests to Vault API. An access token does not give the user access to the Vault UI and is specific to a single Vault.

Access token values always begin with `veeva-vault-` followed by a randomized string. Instead of initiating a session with a user name and password, users can provide the value of their access token in place of the session ID when making calls to Vault API. The `Authorization` HTTP header accepts the access token value preceded by the `Bearer` keyword.

The following request example utilizes an access token to retrieve an object's metadata:

```
curl -X GET -H "Authorization: Bearer veeva-vault-B5A79AAD..." \
https://myvault.veevavault.com/api/v26.2/metadata/vobjects/product__v

```

## Generating Access Tokens {#Generating_Access_Tokens}

Users can grant themselves access tokens via the [Vault UI](https://platform.veevavault.help/en/lr/7239/#api-access-tokens) or Vault API. API users can use the [API Access Token](/vault-api/api-reference/26.2/users/api-access-tokens) endpoints to generate access tokens. When generating an access token, you have the option of providing an expiration date.

<Aside type="caution" title="Warning">The [API Access Token](/vault-api/api-reference/26.2/users/api-access-tokens) endpoints return the newly generated access token's value in their response. Its value is only visible upon its creation and should be stored safely. If lost, you cannot recover this value and must generate a new API token.</Aside>
Each user can be granted up to 25 active access tokens. Access tokens become inactive when they expire or are deleted.

## Retrieving Access Token Metadata {#retrieving-access-token-metadata}

Use the [Retrieve Object Record](/vault-api/api-reference/26.2/vault-objects/retrieve-object-record) endpoint or send a [VQL query](/vql/query-targets/api-access-tokens) to retrieve metadata for an existing access token (`api_access_token__sys`), including its ID. Users are only capable of reading the metadata for their own tokens, while Admins with the appropriate permissions can retrieve the metadata for any user's access tokens.

## Deleting Access Tokens {#deleting-access-tokens}

To delete an access token using Vault API, send a request to the [Delete Object Records](/vault-api/api-reference/26.2/vault-objects/delete-object-records) endpoint. Users are capable of deleting their own tokens; however, they must have the appropriate permissions in order to delete other users' access tokens. This operation can also be performed from a [user's profile page](https://platform.veevavault.help/en/lr/7239/#api-access-tokens) in Vault.

## Access Token Retention {#Access_Token_Retention}

Access tokens and their values are not always retained when performing certain Vault operations.

The following table outlines the affected operations:

<FieldTable>
| Operation | Token Retention Behavior |
| --- | --- |
| Creating a sandbox from a production Vault | Access token values are not copied over to the new sandbox Vault. They must be recreated with the [Generate API Access Token for Sandbox](/vault-api/api-reference/26.2/sandbox-vaults/generate-api-access-token-for-sandbox) endpoint. |
| Refreshing a sandbox | Access tokens and their values are copied over to the refreshed sandbox. |
| Promoting a pre-production Vault to production | Access tokens are not copied over to the production Vault. |
| Converting an existing user to VeevaID | Access tokens for that user are deleted. |
</FieldTable>

---

**Previous:** [Session Management](/regulatory/vault-api/explanation/session-management)  
**Next:** [Authentication Defaulting](/regulatory/vault-api/explanation/auth-defaulting)