Skip to main content
ButterCMS uses API tokens for programmatic access to your content. Tokens are available from your account settings and should be kept secure.

Token types

Token typePurposePermissions
Read API tokenFetching contentRead-only access
Write API tokenCreating and updating contentFull CRUD access

Finding your API tokens

  1. Navigate to Settings > General
  2. View your Read API Token
  3. Contact support to enable a Write API Token (requires verification)

Security best practices

Critical security practices:
  1. Never expose tokens in client-side code — Use server-side proxies instead
  2. Use environment variables — Don’t hardcode tokens in your source code
  3. Read vs. write — Use the read-only token when write access isn’t needed
  4. Rotate after incidents — Regenerate tokens if they may have been compromised
  5. Separate environments — Use different tokens for staging and production

Using tokens in your app

Store your token in an environment variable and reference it in code: 
# Set environment variables
export BUTTER_API_TOKEN="your_read_token"
export BUTTER_WRITE_TOKEN="your_write_token"

// Node.js — read from environment
const butter = require('buttercms')(process.env.BUTTER_API_TOKEN);

Frequently asked questions

Contact ButterCMS support to regenerate your API tokens. Keep in mind, this will invalidate existing tokens and require updating all applications that use them.
The read token allows fetching content via the API. The write token allows creating, updating, and deleting content programmatically. Write tokens require verification to enable — contact support to request one.