🍪 Cookie Notice

We use cookies to learn how you interact with our content, and show you relevant content and ads based on your browsing history. You can adjust your settings below. Here's our policy.

Cookie settings
Skip to main content

JoyConf 2026 is back. Content Confidence. Human Connection. Save your spot!

Unscoped Personal Access Tokens Sunset on 30.11.2026

Developers
Ronny Shani
Try for Free

Storyblok is the first headless CMS that works for developers & marketers alike.

Storyblok adds a layer of security and control to personal access tokens, used to access the Management API and perform CRUD (create, read, update, delete) operations.

What’s changing

Personal access tokens for the Management API support granular scopes and space restrictions. Instead of granting the token access to every scope on every space you own, tokens now require you to choose:

  • Which scopes the token can use. For example, stories, assets, components, or webhooks—you must select at least one.
  • Which spaces the token can access. The default option is All spaces, but you can restrict access to specific spaces.

Learn:

To learn more about the available options, check the Access Tokens developer concept.

Why we’re making this change

Before this change, every personal access token had full read-write access to every space the user owned. That blanket access violates the principle of least privilege. For example, a token used by a single continuous integration pipeline to publish stories in one space can also delete components in every other space.

The same risk applies to the Storyblok MCP server, which lets AI assistants call the Management API using a personal access token.

A scoped token controls what a malfunctioning or prompt-injected model can do, even if it’s instructed to delete data. This complements the MCP server’s own role parameter, which restricts operations at the connection level.

What you need to do

Existing tokens continue to work until 30.11.2026, when Storyblok revokes them regardless of their set expiration dates.

Replace every unscoped token in use before then.

New tokens must use the new scoped creation flow. When your current tokens expire, or you need new ones, create them with explicit scopes and optional space restrictions.

Best practices

  • Audit your existing personal access tokens and note where they’re used
  • Apply the principle of least privilege to each replacement token—define the scopes and spaces the integration actually needs
  • Store tokens in environment variables, never in frontend code or version control
  • Set expiration dates and rotate tokens regularly

Transition period

Scoped tokens became the default on 29.05.2026. As of that date, the unscoped token creation flow is no longer available. Every new token must specify scopes and spaces.

Existing tokens enter a six-month transition period:

  • Until November 30, 2026, unscoped tokens continue to function with their current (full) permissions. You can rename or revoke them, but not duplicate or recreate the old format.
  • On November 30, 2026, Storyblok revokes all remaining unscoped tokens. This is a hard cutoff that applies regardless of each token’s expiration date.

To help you plan the migration, Storyblok will send emails and in-app reminders on the following dates:

  • August 31, 2026 (90 days before)
  • October 30, 2026 (30 days before)
  • November 23, 2026 (7 days before)

Further resources

More to read