Personal Tokens


Latest update: - Nat Dudley

Personal Tokens

If you are planning to hire a developer to create a custom script, desktop application or web application integration for your Vend store they will need to gain access to your store's data via the Vend API. You can provide them with this access by creating a Personal Token. This is a unique code that grants the developer access to the data they need and allows you to manage these integrations on an individual basis.

Note: Tokens should not be used as a primary authentication mechanism for web based applications. Those applications should be using OAuth 2.0 authorisation as described in our developer documentation.


What is a Personal Token?

The Personal Token is the equivalent to a password and gives someone access to your vend account via the Vend API. While this doesn’t grant access to the sell screen it will provide the same level of access to the data as an admin user.

Important: By providing a developer with this token they will have full access to the data in your store. Make sure you send this privately and don’t publicly share the information anywhere.

How do I access it?

To create a token navigate to Setup -> Personal Tokens

Select 'Generate Personal Token'

And fill out the details below:

Token name: for this field put in a name for your reference. It is also important to make this unique to avoid any confusion if you have multiple tokens active.

Expiry date: This will be disabled by default however, if you only want the custom integration or script to be able to access your data for a limited time, you can specify a token expiry date.

Once this is done click 'Save' and copy the token to send it through to your developer(s).

If you are building multiple apps for your store it is recommended you create a token for each app.

Important: If the token you have provided a developer expires, the integration they have built will no longer work. You can extend or remove the expiry date by editing the current token or creating a new one.

If you do require long-term use, it is best to use OAuth 2.0 authorisation as described in our developer documentation.

Every request to sent to the Vend API needs to be authorised. The best way to do it is by adding the Authorization header, just like it's done for OAuth tokens:

Authorization: Bearer _here_goes_your_token_


Best Practices for Managing Personal Tokens:

Remove unused Personal Tokens:

Make sure you remove any unused Personal Tokens. Personal Tokens provide full access to the retailer's store. By removing any unused tokens you will be reducing the risk of misuse going forward.

Rotate Personal Tokens periodically:

It is best to change personal access tokens on a regular basis. To make this easier, we have implemented a change to the personal token user interface in Vend that displays 'token age'. For example, < 30 days (Green), < 90 days (Yellow), < 180 days (Red). You can also choose to have 'Inactive' tokens turn red in X days.

Do not use Personal Tokens for long-term use:

In many scenarios, you will not need a long-term personal access token that never expires. Instead, you can generate credentials through the Vend developer portal. These credentials consist of an access key and a secret, but they also include a token that allows you to renew the access key automatically when the access key expires.

If you do require long-term use, it is best to use OAuth 2.0 authorisation as described in our developer documentation.

Understand how you're using a Personal Token:

If a Personal Token is created under your Vend user, create a descriptive name so you know where it's being used. If the Personal Token needs to be changed, you'll need to know how to rotate/change it. If you don't know how to rotate or change a token, it's likely that an application is a better fit.

Set an expiry on each Personal Token you create:

Make sure you have set an expiry for every personal token you create. Personal Tokens are not meant for application integrations and therefore should only need to be accessible for a limited time.


In case of any questions regarding Personal Tokens or the API in general, please get in touch with our Developer Relations Team at api@vendhq.com

Powered by Zendesk