Beginner
How to create an API token on DigitalOcean
Quick Answer
Log into DigitalOcean Control Panel, navigate to API > Tokens, generate a new token with a name, expiration, and scopes, then copy the token immediately as it shows only once. Use custom scopes for least privilege like domain:read/write for DNS. Store securely and use via Authorization: Bearer $TOKEN in API calls.
Prerequisites
- Active DigitalOcean account with email verified
- Browser access to DigitalOcean Control Panel
- Team permissions to generate tokens
- Secure storage like a password manager
1
Log in to DigitalOcean Control Panel
Access your DigitalOcean account by navigating to the official dashboard at cloud.digitalocean.com and signing in with your credentials. Ensure your email is verified and you have team permissions if applicable.
2
Navigate to API section
In the left-hand menu of the Control Panel, click API (located near the bottom), which opens the Applications & API page on the Tokens tab by default.
3
Access Personal Access Tokens
On the Tokens tab, locate the Personal access tokens section and click the Generate New Token button.
Tip
If the button is missing or grayed out, check your team role permissions.
4
Enter token name
On the Create A New Personal Access Token page, enter a descriptive Token name for your reference, such as 'MyApp API Token', 'ACME DNS Automation', or 'sail-project'.
5
Set expiration period
Select an Expiration period from the options: fixed durations like 30 days or 1 year, or No expiration for indefinite use (recommended for automation but regenerate periodically for security). Tokens auto-delete after expiry.
Tip
Use 'No expiration' for long-term scripts but monitor and rotate regularly.
6
Choose scopes
Under Scopes, select Custom Scopes to pick specific permissions based on your team role, such as
domain:read and domain:write for DNS, read for monitoring, or full Read and Write for broad access. Review the scope summary at the bottom.Tip
Apply least privilege: use minimal scopes to avoid 403 Forbidden errors on unauthorized endpoints.
7
Generate the token
Click Generate Token. The token value (a long alphanumeric string) will display only once—immediately copy it to a secure location like a password manager. Do not refresh or navigate away, as it won't be shown again.
Tip
Treat the token like a password; if lost, regenerate a new one.
8
Verify in token list
The new token appears in your Personal access tokens list on the Tokens tab. You can rename, regenerate, or delete it from the menu, but scopes cannot be edited after creation.
9
Use the token in tools
Authenticate API requests with
Authorization: Bearer $TOKEN header. For CLI: doctl auth init --access-token YOUR_TOKEN_HEREexport DIGITALOCEAN_TOKEN="your_token_here" then curl -X GET -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" https://api.digitalocean.com/v2/account.Tip
Never hardcode tokens; use environment variables to avoid exposure.
Troubleshooting
Can't access API section or Generate button is missing/grayed out
Insufficient team role permissions; ask team owner to elevate your role or grant token generation access.
Token not visible after generation
Token shows only once; if lost, regenerate a new one immediately without navigating away.
403 Forbidden on API calls
Token scopes don't match endpoint requirements; regenerate with appropriate custom scopes like read/write.
Token expired or invalid
Check expiration setting; regenerate via same steps if auto-deleted.
Expired browser session during process
Re-login to Control Panel and restart from API > Tokens tab.
Ready to get started with DigitalOcean?
Put this tutorial into practice. Visit DigitalOcean and follow the steps above.
Visit DigitalOcean →