Skip to main content
Access to the Metadata API is affected by user roles, tenant roles, tenant settings, and token scopes.
Changes to roles or tenant permissions may require **re-authentication and token regen
The Metadata API (Beta) enables you to interact with your Xano workspace schema and content programmatically. The Metadata API includes a comprehensive collection of API endpoints designed to add and modify database tables, schemas, and more. The Metadata API is also used in some cases to facilitate an integration with Xano by providing the integration partner with your Metadata API access token.

Getting Started with the Metadata API

Generate an Access Token

An access token is required for any request you send to the Metadata API.

Before you proceed

Generating an access token requires giving it specific permissions regarding what it can access. Make sure to review available scopes before proceeding. Token Scopes Reference
1

Click the profile icon in the lower-left corner and choose Instances

2

Click⚙️ next to your instance and choose Metadata API from the panel that opens

3

Click 'Manage Access Tokens'

4

Click 'New Access Token'

5

Give your access token a name

Access tokens can have different scopes, or permissions, defined. Giving each access token a recognizable name is important for you to quickly recognize which access tokens are created for specific purposes.
6

Select the expiry for your access token

By default, Xano will revoke your Metadata API access token after 7 days, which means if you need to access the API again, you would have to generate a new token.You can choose your own expiry duration; anything from 1 hour to never expire.
Use caution when defining extended expiry or setting tokens to never expire. Token rotation is good security practice.You can always revoke a token at any time.
7

Define the scopes for your token

The scopes tell Xano what this token has access to. Each scope has 4 options:C (Create) - Determines whether or not this token can create new dataR (Read) - Determines whether or not this token can read existing dataU (Update) - Determines whether or not this token can update existing dataD (Delete) - Determines whether or not this token can delete data.
HintYou can hover over each permission to quickly add or remove all four types of scope.
Each scope has their own API endpoints associated with them. If you aren’t sure which scopes you need for this token, use the reference below for additional information.
ScopeDescription
DatabaseAccess any of the content in your Xano database
ContentAccess any content outside of the database or function stacks, such as branches, data sources, and realtime
Live Data SourceAccess the data inside of your currently live data source
API GroupsAccess API Groups and APIs
FunctionsAccess custom functions
AddonsAccess addons
TaskAccess background tasks
FilesAccess file storage
Request HistoryAccess request history (requires Metadata API access and per-API request history enabled)
Request History access depends on:
  • Metadata API access
  • Request History scope on the token
  • Request History enabled on the specific API
  • Tenant and role permissions
If any of these are disabled, request history requests may fail.
8

Once you've set up your token, click button to copy it to your clipboard.

You will be shown your new access token. Click the button to copy it to your clipboard.
You will only be shown this token once, so make sure to copy it and store it in a safe place.If you lose the token, you should revoke it and create a new one.

Using your Access Token in Requests

The token should be sent as a header in the following format: 
Authorization: Bearer your_token_here

Using the Metadata API with Tenants

When Tenant Center is enabled, access to the Metadata API is governed by multiple layers of permissions:
  1. User role (Admin, Read-only, etc.)
  2. Tenant role (Default or Custom Tenant Role)
  3. Tenant Center feature toggles
  4. Metadata API token scopes
  5. API-level settings (such as Request History)
Token scopes define what a token may request. RBAC overrides, when enabled, determine whether the request is authorized. When RBAC is enabled, both the token scopes and RBAC configuration must allow access for a Metadata API request to succeed.

Token scopes vs RBAC permissions

Metadata API access tokens define what actions a token may attempt. Whether a request succeeds is determined by RBAC, which evaluates:
  • The user’s role
  • The tenant role
  • Tenant Center settings
The permissions shown when viewing a token represent the effective permissions after RBAC is applied, not just the token’s scopes. As a result:
  • A scope may appear disabled even though it is enabled on the token
  • This indicates an RBAC restriction, not a token limitation
  • This applies to both RBAC at a workspace level, and RBAC overrides on a tenant.

Revoking an Access Token

When you access the metadata API panel, you can review all of your currently issued tokens and their scopes. By choosing a token and clicking you can immediately revoke that token from use.

Important: Token Authorization and Role Changes

If any of the following change after a token is issued:
  • User role
  • Tenant role
  • Tenant Center settings
  • Metadata API access enablement
  • Request History enablement
The token may return authorization errors. Best practice:
After changing roles or tenant permissions, generate a new Metadata API access token.
If a Metadata API option appears disabled when viewing a token, this reflects RBAC evaluation. It does not necessarily mean the token was created without that scope.

Using the APIs

For more information on using the APIs, please see the following pages:

Account API

The account API allows you access to various settings and information about your Xano account and instances.

Instance API

The instance API allows you access to your workspaces, including all contents contained within them, such as tables, APIs, and more.