Skip to content
Arc XP
Product Documentation

Using Developer Access Tokens to Access the Arc XP APIs

Arc XP applications include a robust API layer to create and manage data. Arc XP APIs can be used for:

  • Building your own tools on top of the Arc XP platform.
  • Building custom integrations with external software.
  • Generating reports.
  • Migrating data.

Most Arc XP API endpoints are accessible over HTTPS and require authentication. This guide demonstrates how to fetch basic data from Arc XP using the curl tool in the command line.

Prerequisites

To start working with Arc XP APIs, ensure you have:

  • Access to the Developer Center app in your Arc XP instance
  • Understanding of REST APIs
  • Familiarity with HTTP headers and authentication methods

Step 1. Generate an access token

Take the following steps to generate an access token in the Developer Center:

  1. Access your Arc XP instance at:

    https://{org-id}.arcpublishing.com

  2. Enter your Okta credentials. The Arc XP dashboard displays.

  3. Click the developer center tile under the Administration section.

    Developer Center Tile

    The Access Tokens page displays.

  4. Click the New access token button.

    A modal window displays.

  5. Select the Read only access token type.

  6. Click the Create token button.

    The token description page displays.

  7. In the text field, write a description for your token.

  8. Click the Generate token button.

    The generated access token page displays.

  9. Copy your access token to a safe place.

Step 2. Determine your organization’s API domain

Each Arc XP user exists within an organization, and might be your employer’s name. Each organization is assigned a unique domain to access the Arc XP APIs.

To obtain your API Domain, add api. to the beginning of the domain you use to access your Arc XP website. For example:

https://api.{org-id}.arcpublishing.com

Step 3. Access the Arc XP APIs

To access RESTful endpoints in the Arc XP APIs, include your access token in an HTTP Authorization header using the Bearer Authentication Scheme.

For example, you can use the Site Service API to get a list of websites you have created in your organization. Paste the following to your command line:

curl -H "Content-Type: application/json" \
-H "Authorization: Bearer ACCESS_TOKEN" \
-X GET https://api.{org-id}.arcpublishing.com/site/v3/website/

Types of access tokens

Because access tokens bypass the user-level permissions structure of Arc XP, there are different token types for different purposes. In general, you must use:

  • A Read-only token if you do not need to modify content within Arc XP.
  • A Restricted-access token for specific and secure access to the fewest Arc XP applications necessary.
  • An All-access token only for more advanced use cases.

Although some token types are non-destructive, all tokens can access data generated by Arc XP applications. This includes internal notes, unpublished content, and sensitive user data. Any person with an access token must be considered to have all permissions. You must not use access tokens as a replacement for standard user login and authentication mechanisms.

Table 1 lists the available token types and their purposes.

Token typePurpose
Read-onlyEnables you to retrieve data without modifying it.
Restricted-accessGrants limited permissions to specific applications.
All-accessProvides full read and write access to all API endpoints.
PageBuilderEnables deployment of bundles to the Arc XP platform.

Table 1. Access token types

The following sections detail each type of access token:

Read-only tokens

Arc XP recommends read-only access tokens for the most common use cases, such as retrieving data from the Content API.

A read-only token grants a user or application non-destructive access to the Arc XP APIs. Read-only tokens can access but not modify data generated by any user in your organization.

The following table shows the types of requests allowed and forbidden in Arc XP APIs with a read-only access token:

GETHEADOPTIONSPOSTPUTPATCHDELETE
Content API❌*
Draft API
Site API
Author API
Tags API
Photo Center API
Global Settings API

Restricted-access tokens

Restricted-access tokens work with specific Arc XP applications. Restricted-access tokens enable greater control to improve your organization’s security. When granting access to APIs, you can grant read access to one application while permitting read or write access to another application.

Limiting the scope of your access tokens strengthens your organization’s security and ensures compliance with security standards, particularly with protected data that cannot be exposed to third-party integrations.

All-access tokens

Arc XP recommends All-access tokens for trusted machine-to-machine integrations. Applications that generate, ingest, or modify content into Arc XP without human intervention must use all-access tokens.

All-access tokens grant a user or application full access to Arc XP APIs. Requests of any type are allowed in any endpoint of the Arc XP APIs.

Users provision and revoke All-access tokens using the Developer Center. Users must have the “Create Admin Access Tokens” privilege to provision.

PageBuilder access tokens

PageBuilder Engine generates PageBuilder access tokens when deploying a bundle. In most cases, PageBuilder access tokens are completely opaque to users.

PageBuilder access tokens have the same access privileges as read-only tokens, and support the same API requests.

PageBuilder Engine automatically provisions and revokes PageBuilder access tokens as necessary for deployments to proceed. Users cannot manually provision or revoke PageBuilder access tokens in the Developer Center.

For more information on PageBuilder access tokens, see How Access Tokens Work In PageBuilder .

Limitations on access tokens

The following limitations apply to Arc XP access tokens:

  • A single organization can have a maximum of 300 access tokens.

  • A single user can have a maximum of 30 access tokens.

Access token best practices

Access tokens have a wide scope and should be handled with care. To maximize their effectiveness, consider the following:

  • Do not generate tokens on behalf of other users. You can grant access privileges by assigning users and privileges to the correct squad and role in the Permissions tile of the Arc XP dashboard. In this way, users can create and revoke their own tokens. This removes the need to transmit tokens in an insecure way from one user to another and protects you from being responsible for tokens that you are not using.

  • Rotate tokens regularly. Access tokens are easy to create and revoke, and you can maintain multiple access tokens simultaneously. You can “rotate” an old access token by creating a new token, deploying your application with the new token, and then revoking the old token after your application is in production. Doing this regularly minimizes the amount of time that a compromised token can be exploited.

  • Generate a unique token for each application. If a token is compromised, you may find it easier to revoke a token that affects the narrowest slice of functionality possible. Having a unique token for each distinct application or use case means that you only need to replace one token later on and can revoke compromised tokens more quickly.

  • Do not use access tokens in client-side applications. Access tokens are a secure solution only for your trusted backend applications to send and retrieve data directly to Arc.

  • Encrypt and secure tokens that are embedded in applications. You must not store tokens in plaintext.

  • Use the smallest-scoped token possible. Don’t use an all-access token when a restricted-access or read-only token works.

  • Do not send or share tokens. Access tokens must not be shared through unencrypted communication channels.