Managing API and Server-to-server (S2S) tokens

At a glance: API and S2S tokens ensure data security. They enable users to access data via the AppsFlyer APIs or receive event data using server-to-server calls. Admins can manage multiple tokens: create, rename, and remove API and server-to-server tokens.



  • Only admins can view and manage API and S2S tokens. Account users and partners have no access to the Tokens page.
  • Keep your tokens safe as they enable access to your data. Don't publish tokens in public code repositories.
  • It's recommended to replace tokens every 180 days.


API and server-to-server (S2S) tokens are used to enable users to access data via AppsFlyer API and S2S calls. Admins can create and replace multiple tokens while maintaining the continuity of the data, without losing any data. API and S2S tokens can be used for various purposes:

  • Replacing tokens:
    • Addressing specific security concerns, such as a token compromise or suspected unauthorized access
    • Periodically replacing tokens as part of routine security policy updates
  • Managing several tokens for different API calls
  • For testing purposes

Reaching the Tokens page

  1. From the menu bar, click the admin email address dropdown (top right corner).
  2. Select Security center.
  3. In the AppsFlyer API tokens section, click Manage your AppsFlyer API tokens. The current tokens are displayed. 

Token types

A default API token is created for every new account (API token V2). Admins can add up to 4 tokens, 2 of each type:

  • API token: This is a JWT token (JSON Web Token) used to authorize API calls, such as Pull API, Cohort API, ROI API, and others. 

  • S2S token: This token is used for sending event data using S2S calls that are sent automatically. 

Manage your tokens

As an admin, you can manage multiple tokens: create, rename, and remove API and S2S tokens. The main use would be to replace current tokens with new ones. This is done by first creating a new token, implementing it in your systems, and after it becomes available, deleting the old token.

Retrieve tokens

  1. From the menu bar, access the user menu (email address drop-down at the top right corner).
  2. Select Security center.
  3. In the AppsFlyer API tokens section, click Manage your AppsFlyer API tokens.
  4. The available tokens are displayed. 
  5. Copy the required token.

Create a token

  1. From the Tokens page, click + New token.
  2. Enter the token name.
  3. Select the token type.
  4. Click Create token.


  • A new token becomes available for use only after 30 minutes, until which it's pending.
  • Make sure to implement the new token in your systems

Rename a token

  1. From the Tokens page, click the edit icon of the token you want to rename.
  2. Rename the token.
  3. Click Save.

Delete a token


  • Deleting an API or S2S token could cause failure to systems depending on it.
  • When deleting a token, it's removed from the Tokens page. However, it takes up to 30 minutes to fully reject all calls.
  • If you wish to replace a token, make sure to first create a new token, implement it, and after it becomes available (when not in "Pending" status), you can delete the old token.
  1. From the Tokens page, click the delete icon of the token you want to delete.
  2. You must confirm deleting the token by typing "Delete token".
  3. Click Delete token.

Applications of the API V2 token

Use cases for advertisers and ad networks using the API V2 token:


API V2 token
Pull API raw data
Pull API aggregate data
Get app list
SKAdNetwork aggregate reporting
Copy partner integration settings
Set install referrer decryption key
True Revenue tax API
Master API

Ad network

API V2 token
App list for ad networks
Integration with campaign management platforms
Protect360 reports for integrated partners

Applications of the S2S token

Use cases for advertisers using the S2S token:

S2S token
Mobile in-app events S2S API