Delivery Access Token

Last updated: June 22, 2026

A DeliveryAccessToken is a read-only token used to read published content from the CDA (public delivery). When a website or app's browser fetches published content, it calls the CDA with this token. At issue time it is bound to a single SpaceRole, and that role determines the token's read scope (which Content Types it can read).

In CMA, a DeliveryAccessToken is a sub-resource of Space, and its path is based on /spaces/{spaceId}/delivery-access-tokens. Because this token operates while exposed to the browser (client), the role you bind to it must be a least-privilege role that reads only the Content Types you actually need (see Security: least-privilege binding below).

Resource structure

The following is the response when a DeliveryAccessToken is created. The token value and scope live in sys (system properties), while name and description are body properties.

{
  "sys": {
    "id": "3trmXRM3RqbgSnifyg7PUGndFQrblq",
    "type": "DeliveryAccessToken",
    "space": { "sys": { "id": "tcq4V2Xb", "type": "Refer", "targetType": "Space" } },
    "createdBy": { "sys": { "id": "3trmXRM3RqbgSnifyg7PUGnban93rP", "type": "Refer", "targetType": "User" } },
    "createdAt": "2026-06-18T09:25:32.624Z",
    "updatedBy": { "sys": { "id": "3trmXRM3RqbgSnifyg7PUGnban93rP", "type": "Refer", "targetType": "User" } },
    "updatedAt": "2026-06-18T09:25:32.624Z",
    "accessToken": "DVRATbQ8mX2vK9pLs7Rf1Zt0Nc4Wd6Hg5Ua2Ee9Ck3PoYx8Bj6Hg5Ua2Ee9Ck3Po…",
    "scopes": ["DELIVERY"]
  },
  "description": "Read-only delivery token for the clothing store public site",
  "name": "Public website delivery"
}

Key properties:

  • sys.id: The unique identifier of the DeliveryAccessToken. It goes into {deliveryAccessTokenId} in the single-read, update, and delete paths.
  • sys.accessToken: The secret token value used to call the CDA. The same value is returned on subsequent reads after issuance, so handle it with care (see the security section below).
  • sys.scopes: The token's permission scope. A DeliveryAccessToken is always ["DELIVERY"] at issue time.
  • name: The token name you specify on creation (e.g. Public website delivery).
  • description: A description of the token (optional).

The accessToken in the example above is a secret value, so it is replaced with an example string. In reality it is a long, opaque string, and reading it again after issuance returns the same value.

System properties (sys)

Every DeliveryAccessToken carries common system properties and token-specific properties in the sys object. space, createdBy, and updatedBy are in the Refer shape ({ "sys": { "id", "type": "Refer", "targetType" } }).

PropertyTypeDescription
idstringUnique resource identifier.
typestringResource kind. For a DeliveryAccessToken this is always "DeliveryAccessToken".
spaceRefer<Space>The Space this token belongs to.
createdByRefer<User>The user who created it.
createdAtstring (date-time)Creation time.
updatedByRefer<User>The user who last updated it.
updatedAtstring (date-time)Last update time.
accessTokenstringThe secret token value used to call the CDA. Since it is returned as-is on reads after issuance, handle it so it is not exposed externally.
scopesstring arrayThe token's permission scope. A DeliveryAccessToken is always ["DELIVERY"].

Body properties:

PropertyTypeDescription
namestring (1-64)Token name. Specified on creation.
descriptionstring (≤128)Token description. Optional.

Security: least-privilege binding

A DeliveryAccessToken calls the CDA while exposed to the browser and to visitors. Because of this, which SpaceRole you bind it to is exactly what defines the token's security boundary.

  • In the create request's role, put the sys.id of a least-privilege SpaceRole that reads only the Content Types you need. A read-only role is recommended for public delivery.
  • Never bind the Administrator role. Since this token is exposed to the client, binding a role that carries management privileges leaks those privileges externally as-is. Also, do not absentmindedly use the first item in the SpaceRole list; explicitly specify the sys.id of the intended least-privilege role.
  • accessToken is a secret value that is returned with the same value on reads after issuance. Inject it safely into the client build, but do not expose it externally as-is.

(Source: the weegloo-delivery-access-token skill and rule.)

API

The base URL for all endpoints below is https://cma.weegloo.com/v1, and a Bearer token that authenticates against CMA is required in the Authorization header. Updating and partially updating a DeliveryAccessToken does not require the X-Weegloo-Version header.