🍪 Cookie Notice

We use cookies to learn how you interact with our content, and show you relevant content and ads based on your browsing history. You can adjust your settings below. Here's our policy.

Cookie settings
Skip to main content

JoyConf 2026 is back. Content Confidence. Human Connection. Save your spot!

New

Scoped Personal Access Tokens

  • Infrastructure
  • Security
  • Developer Experience
Books and Storyblok Logo

Personal access tokens for the Management API now support granular scopes and space restrictions. When you create a token, you choose which scopes it can use (stories, assets, components, webhooks, and more) on a read-write-publish hierarchy, and whether it applies to all spaces or only specific ones. Endpoints outside the standard content scopes — organization management, billing, SSO, user management, and others — are blocked by default.

Until now, every personal access token had full read-write access to every space the user owned. A token built for a CI pipeline that publishes stories in one space could also delete components in any other space, change billing, or touch user management. The same risk applies to AI assistants calling the Management API through the Storyblok MCP server. Scoped tokens limit the blast radius of a compromised, leaked, or prompt-injected token. Existing unscoped tokens enter a six-month transition period and will be revoked on 30.11.2026.

Key Benefits:

  • Limit each token to only the scopes and spaces it actually needs
  • Endpoints like organization, billing, SSO, and user management are blocked by default
  • Reduce the blast radius of a compromised or leaked token
  • Tighter control over AI assistants and MCP server integrations
  • Token rotation is explicit and audit-friendly — change scopes by revoking and creating a new token

[Learn More]

Related Updates

New

SCIM 2.0

  • Infrastructure
  • Security

Storyblok now supports SCIM 2.0, the standard protocol your identity provider uses to manage user accounts in connected applications. Connect Okta or Microsoft Entra ID, and Storyblok user access follows your IdP automatically. Storyblok exposes a SCIM 2.0 server that your IdP calls whenever a user is added, changed, or removed. New users are provisioned with the right role based on their IdP group, role updates flow through on the next sync, and de-provisioned users lose access immediately, with active sessions terminated and content attribution preserved. Each connection is secured with an organization-scoped token, and every provisioning event is written to an audit log with timestamp, operation, and the user or group involved. Key Benefits: Off-boarded employees lose Storyblok access the moment they leave your IdPIT teams stop running manual updates for every joiner, mover, and leaverPermissions stay aligned with your identity source of truth instead of drifting over timeAudit log supports SOC 2 and ISO 27001 evidence requirementsOne less blocker in enterprise procurement and security reviews [Learn more]

Premium Plan

Support for mixing SSO and non-SSO user roles with re-login protection

  • Security

User roles can now be mixed between SSO and non-SSO groups, giving administrators more flexibility in how roles are assigned. Additionally, non-SSO assigned roles are now preserved on re-login, preventing them from being automatically removed during SSO authentication. This ensures that manually assigned roles remain intact alongside SSO-managed roles.