What are Access Tokens used for?

Access tokens are used to authenticate with the Threekit Platform. The most common use for access tokens is for authenticating inside any scripts or third party integrations. Access tokens are classified as either public or private, based on their use case. This is explained in more detail below.

How to Create an Access Token


Public access tokens require the creation of a Service Account. For instructions on creating this account, click here.


Creating an access token is simple.

  1. Log in to the Threekit Platform, and switch to the organization the token will be made for
  2. On the left-hand side, select Settings
  3. Within the Settings dropdown, select Tokens
  4. On the Access Tokens page, click the Add Token button
  5. Provide a name and choose whether the access token should be public or private
  6. When making a public access token, you will also need to provide the domains which are allowed to use the token and select an appropriate service account.
  7. Click Add Token to create the new access token
  8. Your new token should be visible in the organization's access tokens list

There is no limit on the number active access tokens an organization can have.

Removing an Access Token

At any time, an access token may be revoked. Simply click the Delete icon on the token in the access token's list

Using an Access Token

Access tokens can be used when making API request over HTTPS. Simply supply the token ID inside a Bearer authorization header.

Public Access Tokens

Public access tokens are designed to be used within a third-party website configurator embed. As these tokens will be embedded into a website, they will be viewable within the website's served code. Consequently these tokens have the minimum permissions necessary to access an organization's configurator, to save customer's configurations, and to send analytics.

When creating a public access token, a list of domains must be supplied. This list determines which websites can use the token. When a website outside of this list tries to use the token, it will be stopped by the browser's CORS Policy.

Private Access Tokens

In contrast to public access tokens, private access tokens are designed to authenticate when using the broader Threekit API. Private access tokens have the full permissions of the user who created them, within the token's organization.


Wildcard Subdomains

Use the * to create a wildcard subdomain. For example, `*`

Share this