API Access Token for Single Sheet


I would like to generate an API Access Token for a single sheet.  Currently, if I provide my API Access Token in a script for others to use, they can use it to access all of my sheets (and those shared with me).

Please let me know how to do this.




  • J. Craig Williams
    J. Craig Williams ✭✭✭✭✭✭

    I create a special user and share the only the sheets need for the API.

    Since I use gmail, I can have multiple email addresses going to the same inbox.

    The API token can be generated by a non-licensed user.


  • Thanks Craig.

    Unfortunately, my company does not allow me to share a sheet with an "external" user so I can't use this as a work around.

    I could move the sheet to my external account and share it from there, but that would be against the security policy.

    Other thoughts?



  • J. Craig Williams
    J. Craig Williams ✭✭✭✭✭✭

    At my previous company, we were using SSO with Smartsheet.

    I created a user (not a SysAdmin!)

    [email protected]

    I had IT forward any emails to me.

    I would log in as that user to set the token only once. After that I only needed to log in if something was wrong (it never was)

    I would share sheets or workspaces as need to the 'user'.

    I don't give access tokens to other people. If they need to access something, they should create their own token.

    IT was happy  because this is MORE secure than not having the user.




  • In order for the token to work doesn't the token creator need to be the owner of the sheet?

  • The token will work if you have visibility to that sheet.  You do not need to be the owner. 

    You may have restrictions on what you can do to the sheet as a viewer (e.g. cannot add rows or similar).  This can be circumvented by adding the others as editors.

    This is very unsecure as the API token allows access to all of your sheets.


  • chanmar
    chanmar ✭✭

    Sorry to bring up an old thread - but do you know if this is still the case re: API token can be generated by a non-licensed user? I'm seeing differently and wonder if it's just me or something changed.