API - Authentication
Every request you make carries a bearer token:
Authorization: Bearer YOUR_TOKENThere are two kinds, depending on who's doing the calling.
Service tokens
A service token (dpg_api_live_…) stands for an integration rather than a person. It's account-wide, you make it in the admin under Settings → API → API Tokens, and you send it straight through as a bearer token with no sign-in step. This is what you want for a server, a script or an automated workflow.
What a service token can do is set by its scopes:
| Scope | What it grants |
|---|---|
api.images.read |
Read images, sets, keywords and facets |
api.images.write |
Edit image fields |
api.images.delete |
Delete images |
api.keywords.write |
Add, remove and rename keywords |
api.ratings.write |
Set ratings |
api.metadata.write |
Edit metadata, crop, alt-text and credits |
api.sets.write |
Create and edit sets, membership, order and go-live |
api.upload |
Upload images |
api.download |
Resolve downloads and build archives |
Give a token only the scopes it needs. You can also set an expiry, restrict it to certain IP addresses, and cap the size of a request.
GET /v1/me shows you a token's live capabilities. It's the quickest way to check it's scoped the way you meant.User tokens
When your software is acting for a signed-in person, like a mobile or desktop app, use the sign-in flow instead. It hands out short-lived access tokens tied to that user's own permissions.
POST /v1/auth/sign_inwithlogin,passwordand adevicedescriptor.- If the user has two-factor turned on, you'll get an
mfa_tokenback; finish the sign-in withPOST /v1/auth/mfaand their current authenticator code. - Otherwise you'll get a
refresh_tokenand the accounts they can work on.
- If the user has two-factor turned on, you'll get an
POST /v1/auth/tokenwith therefresh_tokenand anaccount_uuidgives you a 15-minute access token for that account.- When it runs out, call
/v1/auth/tokenagain with your latestrefresh_token. The refresh token changes every time you use it, so always keep the newest one.
Signing in is rate limited, both per IP address and per login, and a throttled request comes back as 429 with a Retry-After header.
Which one should you use?
For an integration or an automated workflow, use a service token. It's simpler, and it's what the rest of these guides assume. For an app that people log into, use the user flow.