---
title: "API Tokens"
description: "Scoped API tokens for REST API access — create tokens with read, operational, full, or agent scope."
url: "https://wpwebhooks.org/docs/api-tokens/"
---

[WP Webhooks](https://wpwebhooks.org/) / [Docs](https://wpwebhooks.org/docs/) / API Tokens

Feature since v1.3.0

# API Tokens

Scoped API tokens for REST API access — create tokens with read, operational, full, or agent scope.

Create tokens from the API Tokens screen in the admin panel. Each token has a name, scope, optional expiry, and is SHA-256 hashed at rest. Tokens are accepted via `X-FSWA-Token` header, `Authorization: Bearer`, or `?api_token=` query parameter. Token management itself always requires a WordPress admin session.

## Scopes

`read` — GET endpoints only. `operational` — read + toggle webhooks, retry/replay logs, execute queue jobs. `full` — operational + create, update, delete webhooks, schemas, logs; reveals stored auth secrets. `agent` — same write access as `full`, but can never reveal a webhook's `auth_header` or any Credentials Vault secret. Intended for AI assistants.

/ Related

[REST API](https://wpwebhooks.org/docs/rest-api/)

/Ready

## Your next automation is  
one sentence away.

[Install Plugin→](https://wordpress.org/plugins/flowsystems-webhook-actions/) [See the Plugin →](https://wpwebhooks.org/wordpress-webhook-plugin/)

$ wp plugin install flowsystems-webhook-actions --activate

## Structured data

```json
{"@context":"https://schema.org","@type":"TechArticle","name":"API Tokens — Feature — Webhook Actions Docs","description":"Scoped API tokens for REST API access — create tokens with read, operational, full, or agent scope.","url":"https://wpwebhooks.org/docs/api-tokens/","isPartOf":{"@type":"WebSite","name":"WP Webhooks","url":"https://wpwebhooks.org"},"about":{"@type":"SoftwareApplication","name":"Webhook Actions","applicationCategory":"WordPress Plugin"}}
```
