Skip to main content
API tokens are a lightweight alternative to OAuth applications for authenticating with the Privy API. Instead of exchanging client credentials for a short-lived access token, you generate a long-lived token directly from the dashboard and use it immediately.
API TokensOAuth Applications
SetupGenerate a token in the dashboardCreate an app, then exchange credentials for a token
Token lifetime30 days to 1 year (or no expiry)2 hours
Best forScripts, internal tools, quick integrationsThird-party integrations, automated token rotation

Creating a token

1

Open API token settings

Navigate to Settings > API Tokens in your Privy dashboard.
2

Create a new token

Click Create Token. Choose a descriptive name, select the scopes you need, and pick an expiration period.
3

Copy the token

The token is displayed once after creation. Copy it immediately and store it securely — you won’t be able to view it again.
Treat API tokens like passwords. Never share them in client-side code, public repositories, or URLs. If a token is compromised, revoke it immediately from the dashboard.

Token format

API tokens use the prefix privy_ followed by a 40-character hex string: 
privy_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2

Scopes

Scopes control what your token can access. You select scopes when creating the token.
ScopeDescription
contacts_readList and filter contacts
contacts_writeCreate, update, unsubscribe, and delete contacts

Using a token

Include the token in the Authorization header as a bearer token — exactly the same as an OAuth access token: 
curl -X GET "https://api.privy.com/v1/contacts" \
  -H "Authorization: Bearer privy_YOUR_TOKEN"
All API endpoints accept both API tokens and OAuth access tokens interchangeably.

Expiration

When creating a token, choose from the following lifetimes:
OptionDuration
30 daysToken expires 30 days after creation
60 daysToken expires 60 days after creation
90 daysToken expires 90 days after creation
1 yearToken expires 1 year after creation
No expirationToken never expires (use with caution)
Tokens that were created with an expiration can be renewed from the dashboard to extend them by their original duration.

Revoking a token

You can revoke a token at any time from Settings > API Tokens in the dashboard. Revoked tokens are rejected immediately — any request using a revoked token receives a 401 error.

Limits

Each Privy account can have up to 25 active API tokens at a time. Revoked and expired tokens do not count toward this limit. Rate limits apply to API tokens the same way they apply to OAuth access tokens — all requests under the same account share the same rate limit budget.

Error responses

StatusCodeCause
401unauthorizedToken is missing, invalid, expired, or revoked
403insufficient_scopeToken does not have the required scope for this endpoint
See the Errors page for all error codes.