Authentication tokens
Types of API access tokens
User API keys (Legacy): User API keys were historically the only method available to access dbt Cloud APIs on the user’s behalf. They are scoped to the user and not the account. User API Keys will eventually be deprecated for the more secure personal access tokens.
Personal access tokens (New): Personal access tokens (PATs) are the new, preferred, and secure way of accessing dbt Cloud APIs on behalf of a user. They are more secure than user API Keys. PATs are scoped to an account and can be enhanced with more granularity and control.
Service tokens: Service tokens are similar to service accounts and are the preferred method to enable access on behalf of the dbt Cloud account.
Which token type should you use
You should use service tokens broadly for any production workflow where you need a service account. You should use PATs only for developmental workflows or dbt Cloud client workflows that require user context. The following examples show you when to use a personal access token (PAT) or a service token:
- Connecting a partner integration to dbt Cloud — Some examples include Hightouch, Datafold, a custom app you’ve created, etc. These types of integrations should use a service token instead of a PAT because service tokens give you visibility, and you can scope them to only what the integration needs and ensure the least privilege. We highly recommend switching to a service token if you’re using a user API key for these integrations today.
- Production Terraform — Use a service token since this is a production workflow and is acting as a service account and not a user account.
- Cloud CLI and Semantic Layer Sheets Integration — Use a PAT since both the dbt Cloud CLI and Semantic Layer Google Sheets integrations work within the context of a user (the user is making the requests and has to operate within the context of their user account).
- Testing a custom script and staging Terraform or Postman — We recommend using a PAT as this is a developmental workflow and is scoped to the user making the changes. When you push this script or Terraform into production, use a service token instead.