API Tokens

All API Methods require you to provide an active API Token.


Token Generation / Deactivation

Each site can have up to five active tokens. If a token is no longer in use or if it has been compromised, you can deactivate the token.

For each token, you may optionally add a "note" which is a short description to remind your team how a token is being used.

Tokens are currently a 41 character string, but the length for new tokens could be shorter or longer at any time.

Token generation and deactivation are managed via the Control Panel of your iScout website. To access the API Management Pages, your account must be under a role with the "Manage Billing" permission enabled.

Manage Tokens

Token Security

Keep in mind that each token gives read/write access to your account so it is critical that they are not shared publicly. It should be treated like an admin username/password would be treated.

Do not include your token in client-side code. If you wish to access the iScout data via a web/mobile client, then you should make requests to your own server which should verify the method/action. Then the server should make the request to the iScout api and forward the response to the client.



Rate Limit

The iScout API rate limits requests per token at 60 requests per minute. If the request rate exceeds this limit, an error will be returned.

Egregious request rates or extended limit violations may be grounds for deactivation of the token or even of API access for the entire site.