API Keys

API keys provide programmatic access to Alokai CMS. Each API key generates three tokens for different use cases: management, content delivery, and content preview.

Token types

When you create an API key, three tokens are generated:

Token	Format	Purpose
Management Key	{org}_sk_{hex}	CMS management API — create, update, delete content
Delivery Token	{org}_dt_{hex}	Content delivery API — fetch published content
Preview Token	{org}_pt_{hex}	Content delivery API — fetch latest draft content

Caution

All three tokens are shown only once at creation time. Copy them immediately — they cannot be retrieved later.

Delivery vs Preview tokens

Your storefront uses these tokens as environment variables:

ALOKAI_CMS_DELIVERY_TOKEN=myorg_dt_abc123...   # serves published content
ALOKAI_CMS_PREVIEW_TOKEN=myorg_pt_def456...    # serves latest draft (including unpublished)

• Delivery token (_dt_) — returns only published content. Returns 404 for unpublished pages. Use this in production.
• Preview token (_pt_) — returns the latest draft version regardless of publish status. Use this for preview/staging environments.

The delivery API requires one of these tokens via the Authorization: Bearer header. Requests without a valid token receive a 401 Unauthorized response.

Creating an API key

Go to Settings → API Keys and click New API Key.

Field	Description
Name	A label to identify this key
Description	Optional notes
Permissions	What actions the management key can perform

After creation, a modal displays all three tokens with copy buttons.

Permissions

Permissions apply to the management key (_sk_) only. Delivery and preview tokens always have read access to content.

Permission	Allows
content_read	List and get pages, components, and content models
content_update	Create, update, and publish pages and components
content_delete	Delete pages and components
users_read	List users
users_update	Create and update users

Using tokens

Management key (CMS API)

Pass via Authorization or X-API-Key header:

curl -H "Authorization: Bearer myorg_sk_..." \
     -H "X-Alokon-Organization: your-org-id" \
     -H "X-Alokon-Space: your-space-id" \
     -H "X-Alokon-Environment: main" \
     https://your-cms.workers.dev/api/entries

Delivery / Preview token (Content API)

Pass via Authorization: Bearer header:

# Published content (delivery token)
curl -H "Authorization: Bearer myorg_dt_..." \
     -H "X-Alokon-Space: your-space-id" \
     -H "X-Alokon-Environment: main" \
     https://your-cms.workers.dev/api/v1/pages/by-path/shop/mens

# Draft content (preview token)
curl -H "Authorization: Bearer myorg_pt_..." \
     -H "X-Alokon-Space: your-space-id" \
     -H "X-Alokon-Environment: main" \
     https://your-cms.workers.dev/api/v1/pages/by-path/shop/mens

Rolling tokens

Each token can be regenerated independently without affecting the others:

• Roll Management Key — regenerates the _sk_ token
• Roll Delivery Token — regenerates the _dt_ token
• Roll Preview Token — regenerates the _pt_ token

Go to Settings → API Keys and click the roll button next to the token you want to regenerate. The new token is shown once.

Revoking a key

Click Delete on any key in Settings → API Keys. All three tokens (management, delivery, preview) are immediately invalidated.