Delivery Access Token
Last updated: June 22, 2026
A DeliveryAccessToken is a read-only token used to read published content from the CDA (public delivery). When a website or app's browser fetches published content, it calls the CDA with this token. At issue time it is bound to a single SpaceRole, and that role determines the token's read scope (which Content Types it can read).
In CMA, a DeliveryAccessToken is a sub-resource of Space, and its path is based on /spaces/{spaceId}/delivery-access-tokens. Because this token operates while exposed to the browser (client), the role you bind to it must be a least-privilege role that reads only the Content Types you actually need (see Security: least-privilege binding below).
Resource structure
The following is the response when a DeliveryAccessToken is created. The token value and scope live in sys (system properties), while name and description are body properties.
{
"sys": {
"id": "3trmXRM3RqbgSnifyg7PUGndFQrblq",
"type": "DeliveryAccessToken",
"space": { "sys": { "id": "tcq4V2Xb", "type": "Refer", "targetType": "Space" } },
"createdBy": { "sys": { "id": "3trmXRM3RqbgSnifyg7PUGnban93rP", "type": "Refer", "targetType": "User" } },
"createdAt": "2026-06-18T09:25:32.624Z",
"updatedBy": { "sys": { "id": "3trmXRM3RqbgSnifyg7PUGnban93rP", "type": "Refer", "targetType": "User" } },
"updatedAt": "2026-06-18T09:25:32.624Z",
"accessToken": "DVRATbQ8mX2vK9pLs7Rf1Zt0Nc4Wd6Hg5Ua2Ee9Ck3PoYx8Bj6Hg5Ua2Ee9Ck3Po…",
"scopes": ["DELIVERY"]
},
"description": "Read-only delivery token for the clothing store public site",
"name": "Public website delivery"
}Key properties:
sys.id: The unique identifier of the DeliveryAccessToken. It goes into{deliveryAccessTokenId}in the single-read, update, and delete paths.sys.accessToken: The secret token value used to call the CDA. The same value is returned on subsequent reads after issuance, so handle it with care (see the security section below).sys.scopes: The token's permission scope. A DeliveryAccessToken is always["DELIVERY"]at issue time.name: The token name you specify on creation (e.g.Public website delivery).description: A description of the token (optional).
The accessToken in the example above is a secret value, so it is replaced with an example string. In reality it is a long, opaque string, and reading it again after issuance returns the same value.
System properties (sys)
Every DeliveryAccessToken carries common system properties and token-specific properties in the sys object. space, createdBy, and updatedBy are in the Refer shape ({ "sys": { "id", "type": "Refer", "targetType" } }).
| Property | Type | Description |
|---|---|---|
id | string | Unique resource identifier. |
type | string | Resource kind. For a DeliveryAccessToken this is always "DeliveryAccessToken". |
space | Refer<Space> | The Space this token belongs to. |
createdBy | Refer<User> | The user who created it. |
createdAt | string (date-time) | Creation time. |
updatedBy | Refer<User> | The user who last updated it. |
updatedAt | string (date-time) | Last update time. |
accessToken | string | The secret token value used to call the CDA. Since it is returned as-is on reads after issuance, handle it so it is not exposed externally. |
scopes | string array | The token's permission scope. A DeliveryAccessToken is always ["DELIVERY"]. |
Body properties:
| Property | Type | Description |
|---|---|---|
name | string (1-64) | Token name. Specified on creation. |
description | string (≤128) | Token description. Optional. |
Security: least-privilege binding
A DeliveryAccessToken calls the CDA while exposed to the browser and to visitors. Because of this, which SpaceRole you bind it to is exactly what defines the token's security boundary.
- In the create request's
role, put thesys.idof a least-privilege SpaceRole that reads only the Content Types you need. A read-only role is recommended for public delivery. - Never bind the
Administratorrole. Since this token is exposed to the client, binding a role that carries management privileges leaks those privileges externally as-is. Also, do not absentmindedly use the first item in the SpaceRole list; explicitly specify thesys.idof the intended least-privilege role. accessTokenis a secret value that is returned with the same value on reads after issuance. Inject it safely into the client build, but do not expose it externally as-is.
(Source: the weegloo-delivery-access-token skill and rule.)
API
The base URL for all endpoints below is https://cma.weegloo.com/v1, and a Bearer token that authenticates against CMA is required in the Authorization header. Updating and partially updating a DeliveryAccessToken does not require the X-Weegloo-Version header.
Related documents
- SpaceRole: Defines the role (read scope) to bind to this token.
- CDA overview: The delivery API that reads published content with this token.
- Personal Access Token: A Weegloo User token for servers and CI.
