> ## Documentation Index
> Fetch the complete documentation index at: https://buttercms.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# API tokens

> Learn how to access and securely use your ButterCMS read and write API tokens.

ButterCMS uses API tokens for programmatic access to your content. Tokens are available from your account settings and should be kept secure.

## Token types

| Token type          | Purpose                       | Permissions      |
| ------------------- | ----------------------------- | ---------------- |
| **Read API token**  | Fetching content              | Read-only access |
| **Write API token** | Creating and updating content | Full CRUD access |

## Finding your API tokens

1. Navigate to **Settings > General**
2. View your Read API Token
3. [Contact support](../../support/contact-status/contact-support) to enable a Write API Token (requires verification)

## Security best practices

<Warning>
  **Critical security practices:**

  1. **Never expose tokens in client-side code** — Use server-side proxies instead
  2. **Use environment variables** — Don't hardcode tokens in your source code
  3. **Read vs. write** — Use the read-only token when write access isn't needed
  4. **Rotate after incidents** — Regenerate tokens if they may have been compromised
  5. **Separate environments** — Use different tokens for staging and production
</Warning>

## Using tokens in your app

Store your token in an environment variable and reference it in code:

```bash theme={null}
# Set environment variables
export BUTTER_API_TOKEN="your_read_token"
export BUTTER_WRITE_TOKEN="your_write_token"
```

```javascript theme={null}
// Node.js — read from environment
const butter = require('buttercms')(process.env.BUTTER_API_TOKEN);
```

## Frequently asked questions

<AccordionGroup>
  <Accordion title="How do I rotate my API tokens?">
    Contact ButterCMS support to regenerate your API tokens. Keep in mind, this will invalidate existing tokens and require updating all applications that use them.
  </Accordion>

  <Accordion title="What is the difference between read and write tokens?">
    The read token allows fetching content via the API. The write token allows creating, updating, and deleting content programmatically. Write tokens require verification to enable — [contact support](../../support/contact-status/contact-support) to request one.
  </Accordion>
</AccordionGroup>
