> ## Documentation Index
> Fetch the complete documentation index at: https://docs.xano.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Metadata API

<Info>
  Access to the Metadata API is affected by **user roles, tenant roles, tenant settings, and token scopes**.\
  Changes to roles or tenant permissions may require \*\*re-authentication and token regen
</Info>

The Metadata API (Beta) enables you to interact with your Xano workspace schema and content programmatically. The Metadata API includes a comprehensive collection of API endpoints designed to add and modify database tables, schemas, and more.

The Metadata API is also used in some cases to facilitate an integration with Xano by providing the integration partner with your Metadata API access token.

## Getting Started with the Metadata API

### Generate an Access Token

An access token is required for any request you send to the Metadata API.

## Before you proceed

Generating an access token requires giving it specific permissions regarding what it can access. Make sure to review available scopes before proceeding. [Token Scopes Reference](/xano-features/metadata-api/token-scopes-reference)

<Steps>
  <Step title="Click the profile icon in the lower-left corner and choose Instances">
    <Frame>
      <img src="https://mintcdn.com/xano-997cb9ee/nsvdyKK4Dg7VUAZs/images/94102258-image.jpeg?fit=max&auto=format&n=nsvdyKK4Dg7VUAZs&q=85&s=7bf3eb471df4e7765c7fd898d69646a4" width="36" height="34" data-path="images/94102258-image.jpeg" />
    </Frame>
  </Step>

  <Step title="Click⚙️ next to your instance and choose Metadata API from the panel that opens">
    &#x9;
  </Step>

  <Step title="Click 'Manage Access Tokens'">
    <Frame>
      <img src="https://mintcdn.com/xano-997cb9ee/dC3SQWgPCF_-1qn6/images/296961aa-image.jpeg?fit=max&auto=format&n=dC3SQWgPCF_-1qn6&q=85&s=903293e6bddcad968f4d774744c1d295" width="203" height="25" data-path="images/296961aa-image.jpeg" />
    </Frame>
  </Step>

  <Step title="Click 'New Access Token'">
    <Frame>
      <img src="https://mintcdn.com/xano-997cb9ee/WBQXG-4Ngk82eYAW/images/fd729d11-image.jpeg?fit=max&auto=format&n=WBQXG-4Ngk82eYAW&q=85&s=530f5e537e39d8b5f161ee4319046982" width="167" height="26" data-path="images/fd729d11-image.jpeg" />
    </Frame>
  </Step>

  <Step title="Give your access token a name">
    Access tokens can have different **scopes**, or permissions, defined. Giving each access token a recognizable name is important for you to quickly recognize which access tokens are created for specific purposes.
  </Step>

  <Step title="Select the expiry for your access token">
    By default, Xano will revoke your Metadata API access token after 7 days, which means if you need to access the API again, you would have to generate a new token.

    You can choose your own expiry duration; anything from **1 hour** to **never expire**.

    <Warning>
      Use caution when defining extended expiry or setting tokens to never expire. Token rotation is good security practice.

      You can always revoke a token at any time.
    </Warning>
  </Step>

  <Step title="Define the scopes for your token">
    The scopes tell Xano what this token has access to. Each scope has 4 options:

    **C (Create)** - Determines whether or not this token can create new data

    **R (Read)** - Determines whether or not this token can read existing data

    **U (Update)** - Determines whether or not this token can update existing data

    **D (Delete)** - Determines whether or not this token can delete data.

    <Info>
      **Hint**

      You can hover over each permission to quickly add or remove all four types of scope.

      <Frame>
        <img src="https://mintcdn.com/xano-997cb9ee/pz6e9Ndbn8i3u8Zz/images/6095445a-image.jpeg?fit=max&auto=format&n=pz6e9Ndbn8i3u8Zz&q=85&s=0664e7b95b07146a8a4abc94316be9de" alt="" width="438" height="69" data-path="images/6095445a-image.jpeg" />
      </Frame>
    </Info>

    Each scope has their own API endpoints associated with them. If you aren't sure which scopes you need for this token, use the reference below for additional information.

    | Scope            | Description                                                                                                 |
    | ---------------- | ----------------------------------------------------------------------------------------------------------- |
    | Database         | Access any of the content in your Xano database                                                             |
    | Content          | Access any content outside of the database or function stacks, such as branches, data sources, and realtime |
    | Live Data Source | Access the data inside of your currently live data source                                                   |
    | API Groups       | Access API Groups and APIs                                                                                  |
    | Functions        | Access custom functions                                                                                     |
    | Addons           | Access addons                                                                                               |
    | Task             | Access background tasks                                                                                     |
    | Files            | Access file storage                                                                                         |
    | Request History  | Access request history (requires Metadata API access and per-API request history enabled)                   |

    <Info>
      Request History access depends on:

      * Metadata API access
      * Request History scope on the token
      * Request History enabled on the specific API
      * Tenant and role permissions

      If any of these are disabled, request history requests may fail.
    </Info>
  </Step>

  <Step title="Once you've set up your token, click button to copy it to your clipboard.">
    <Frame>
      <img src="https://mintcdn.com/xano-997cb9ee/SGxJ0muPK3um9hNH/images/7b3cbfd6-image.jpeg?fit=max&auto=format&n=SGxJ0muPK3um9hNH&q=85&s=79b7b7a63d35a8f8fc1abea16647d80b" width="68" height="31" data-path="images/7b3cbfd6-image.jpeg" />
    </Frame>

    You will be shown your new access token. Click the <img src="https://mintcdn.com/xano-997cb9ee/nsvdyKK4Dg7VUAZs/images/8d486207-image.jpeg?fit=max&auto=format&n=nsvdyKK4Dg7VUAZs&q=85&s=7737e30adeb37cab96c82fcb03944018" className="inline m-0" width="21" height="24" data-path="images/8d486207-image.jpeg" /> button to copy it to your clipboard.

    <Warning>
      **You will only be shown this token once, so make sure to copy it and store it in a safe place.**

      If you lose the token, you should revoke it and create a new one.
    </Warning>
  </Step>
</Steps>

## Using your Access Token in Requests

The token should be sent as a header in the following format:

```
Authorization: Bearer your_token_here
```

## Using the Metadata API with Tenants

When Tenant Center is enabled, access to the Metadata API is governed by **multiple layers of permissions**:

1. User role (Admin, Read-only, etc.)
2. Tenant role (Default or Custom Tenant Role)
3. Tenant Center feature toggles
4. Metadata API token scopes
5. API-level settings (such as Request History)

Token scopes define what a token may request.
RBAC overrides, when enabled, determine whether the request is authorized.
When RBAC is enabled, both the token scopes and RBAC configuration must allow access for a Metadata API request to succeed.

## Token scopes vs RBAC permissions

Metadata API access tokens define **what actions a token may attempt**.

Whether a request succeeds is determined by **RBAC**, which evaluates:

* The user’s role
* The tenant role
* Tenant Center settings

The permissions shown when viewing a token represent the **effective permissions after RBAC is applied**, not just the token’s scopes.

As a result:

* A scope may appear disabled even though it is enabled on the token
* This indicates an RBAC restriction, not a token limitation
* This applies to both RBAC at a workspace level, and RBAC overrides on a tenant.

## Revoking an Access Token

When you access the metadata API panel, you can review all of your currently issued tokens and their scopes.

By choosing a token and clicking <img src="https://mintcdn.com/xano-997cb9ee/SGxJ0muPK3um9hNH/images/7674dd0e-image.jpeg?fit=max&auto=format&n=SGxJ0muPK3um9hNH&q=85&s=9627c8b367de5a914dca5debabca1671" className="inline m-0" width="20" height="22" data-path="images/7674dd0e-image.jpeg" /> you can immediately revoke that token from use.

### Important: Token Authorization and Role Changes

If any of the following change after a token is issued:

* User role
* Tenant role
* Tenant Center settings
* Metadata API access enablement
* Request History enablement

The token may return authorization errors.

**Best practice:**\
After changing roles or tenant permissions, generate a new Metadata API access token.

<Info>
  If a Metadata API option appears disabled when viewing a token, this reflects RBAC evaluation.
  It does not necessarily mean the token was created without that scope.
</Info>

***

## Using the APIs

For more information on using the APIs, please see the following pages:

<Card icon="key" title="Account API" href="/xano-features/metadata-api/accountapi">
  The account API allows you access to various settings and information about your Xano account and instances.
</Card>

<Card icon="key" title="Instance API" href="/xano-features/metadata-api/instanceapi">
  The instance API allows you access to your workspaces, including all contents contained within them, such as tables, APIs, and more.
</Card>

***