Legacy tokens refer to tokens created before the launch of impact.com’s scoped tokens in June 2025. If you currently use legacy tokens to authenticate with the impact.com APIs, it's time to make the shift to scoped tokens.
Legacy tokens grant broad access across all customer-facing APIs, which presents significant security and operational risks. Scoped tokens offer a more secure and manageable alternative. Read more about Scoped Token Best Practices.
List all existing integrations, whether apps, scripts, or services, that currently use a legacy read/write or read-only token.
For each integration, record what the integration does, which endpoints or resources it accesses, whether it performs read, write, or both types of actions, and who owns or maintains the integration. Use access logs or audit trails, if available, to identify which endpoints the current token is interacting with.
Review the purpose and functionality of each integration and identify which APIs or resources it needs access to and determine the specific operations it performs, such as GET, POST, PUT, or DELETE. Map these actions to the appropriate scopes to ensure the token grants only the necessary permissions.
Be sure to note the API version currently in use, as this will help maintain compatibility during the transition. The overall objective is to provide each integration with just the right level of access—no more, no less.
Create a new token tailored to each integration’s specific needs. Use our guide to creating scoped tokens, whether you’re a brand, partner, or agency, and generate a new token with only the necessary scopes. Be sure to give the token a clear, descriptive label for future reference.
Set the API version to match the one your integration is already using. This ensures compatibility and minimizes the risk of disruptions. While it’s a good idea to eventually move to the latest API version, aim to do that upgrade later, after a successful migration and thorough testing.
Replace the old legacy token in your integration with the new scoped token, then thoroughly test the integration to make sure that it functions as expected, and only accesses the intended resources.
If you run into any issues, check whether the token’s scopes align with what the integration actually needs and that the API version matches the one used with the legacy token. If necessary, you can go back and edit the token to adjust scopes or change the API version.
Once the new token is working smoothly, make sure to update your documentation and inform any relevant team members.
Also, document how the new scoped token is managed. This ensures that others won’t unknowingly reuse it inappropriately, which could lead to security or maintenance issues in the future.