API Token Management
Your API token authenticates all requests to Browserless services. Manage your token from the Browserless dashboard.
Accessing your API token
- Log in to your account at browserless.io/account
- Your API token is displayed on the account home page under the API Key section
- Click the Copy button next to your token to copy it to your clipboard
Using your API token
Add your API token to the URL query string as ?token=YOUR_TOKEN. Invalid tokens result in HTTP 401 or 403 responses. Keep the URL secure and avoid exposing it in client-side code or logs.
Example:
https://production-sfo.browserless.io/screenshot?token=YOUR_API_TOKEN_HERE
Rotating your API token
If your API token has been compromised or you want to rotate it as a security best practice, use the Change API Key button in the dashboard.
Steps to rotate
- Navigate to browserless.io/account
- Click the Change API Key button
- Review the confirmation dialog carefully
- Click Change API Key to confirm
What happens during rotation
Changing your API token requires a few minutes of downtime, and you will need to update all your applications to use the new token.
When you rotate your API token:
- Your current key is immediately invalidated
- A new randomly-generated key is created
- The new key is displayed on your account page
- All active connections using the old key will stop working
- You must update the token in every application or service that connects to Browserless
Plan your rotation during a maintenance window to minimize disruption to your services.
Best Practices
Store tokens securely
- Use environment variables to store your API token rather than hardcoding it in source files
- Never commit API tokens to version control (add
.envfiles to.gitignore) - Use a secrets manager (such as AWS Secrets Manager, HashiCorp Vault, or 1Password) for production deployments
Example: using environment variables
# .env file (never commit this)
BROWSERLESS_TOKEN=YOUR_API_TOKEN_HERE
// Access the token from your environment
const token = process.env.BROWSERLESS_TOKEN;
const url = `https://production-sfo.browserless.io/scrape?token=${token}`;
import os
token = os.environ["BROWSERLESS_TOKEN"]
url = f"https://production-sfo.browserless.io/scrape?token={token}"
Rotation frequency
- Rotate your API token immediately if you suspect it has been compromised
- Rotate periodically (every 90 days) as a security best practice
- Rotate when team members with access leave your organization
- Rotate after revoking access from any third-party integration
Limit exposure
- Use separate credentials per environment where possible (for example, separate Browserless accounts if multiple keys are not available on your plan)
- Monitor your usage dashboard for unexpected activity
- Avoid sharing your key across multiple unrelated projects
FAQ & Troubleshooting
How do I get started with Browserless?
Sign up for a free account at browserless.io, get your API token, and follow the Quickstart guide for BQL or the BaaS guide for Puppeteer/Playwright.
What's the difference between BQL and BaaS?
BQL is a GraphQL API for declarative browser automation with built-in stealth. BaaS runs your existing Puppeteer or Playwright scripts on managed browsers. See comparison for details.