Using API Token authentication

What is an "API Token"?

API tokens are token strings that can be issued by each app in kintone. kintone APIs can be used by placing this on the request header of the REST API. There are various advantages of using this authentication for REST API.

Advantage 1: User ID and passwords are not required

When using APIs with User IDs and passwords, a system needs to save the User ID and password to the system. This makes it harder for the password to be changed, and there is also a risk of the user credentials being leaked from that system. Using REST APIs with API tokens reduces this risk.

Advantage 2: You can limit the apps to call REST APIs to

API tokens are created on each app and the token can only call the REST API on the app it was created on. This prevents the risk of accidentally using the API on the wrong app.

Advantage 3: Types of REST APIs can be limited

You can limit the type of REST API to be called using the API token. For example, you can set up the API token so that "The Get Record API can be called, but the Update Record API cannot be called". This prevents problems of accidentally executing unintentional API calls. Even if the API token were to be leaked, it keeps the risk to the minimum.

Creating API Tokens

Here, we will show an example of how to create an API token and run an API to obtain records from an app.
First, access the app that you would like to create API tokens for. If you are the Administrator of the app, you will be able to open the "Change App Settings" from the App's options (if you have created the app, you should be the Administrator of the app). Proceed to click on "API Token".

The "API Token" page lets you create API tokens for this specific kintone app.
Normally, you would only need to create just one API token for customizations.

If you click the "Generate" button, an API token will be generated and several check-boxes will appear under the "Permissions" section. You can limit the type of APIs that can be run with this API token by checking these boxes on and off. By default, the "View Record" is checked so you can only use API to retrieve records with this token.

For now, keep the settings as they are and click the "Save" button. Update the app by pressing the "Update App" button.
*You must update the app to use the API token. Just generating the API token will not be enough - do not forget to save and update your app after generating the API token.

Running REST API using an API Token

Try out the API token by running the REST API on a curl command, like the following.

curl -H "X-Cybozu-API-Token: {'Created API Token'}" "https://{'Domain Name'}'App ID')"

If you run the command, the information of your records in the app should be displayed (If you have set the Basic authorization option, you must configure additional settings so please refer to the curl's man page).


Each app in your kintone environment can generate API Tokens. By using API tokens, you can run REST API securely without needing to use your user credentials.
API tokens are used for REST APIs - you do not need to use it in conjunction with the JavaScript API.

Was this article helpful?
0 out of 0 found this helpful
  • Avatar

    If I am using the API token to view/add/edit/delete records in an app, will that app's JS customization run too (for instance, any event logic I built in)?

  • Avatar
    kintone developer network team

    Hi Nim
    No, the App's JS file will only run on browser based events, and cannot be initiated by external calls.

Please sign in to leave a comment.