---
title: Get the privileges of an access token
slug: '109'
canonical_url: https://docs.coveo.com/en/109/
collection: manage-an-organization
source_format: adoc
---
# Get the privileges of an access token
When you perform a REST API operation call, you must ensure that the access token you use to authenticate your API call minimally [grants you the privileges](https://docs.coveo.com/en/3151/) that are [required to access the endpoint](https://docs.coveo.com/en/1707/).
Otherwise, the call typically returns a `401 UNAUTHORIZED` response.

Use the [Get all organization privileges for the access token](https://platform.cloud.coveo.com/docs?urls.primaryName=AuthorizationServer#/Organization%20Privileges/rest_organizations_paramId_privileges_token_post) operation to retrieve the list of [privileges](https://docs.coveo.com/en/228/) granted to a specific access token (OAuth2 token, Coveo API key, or JWT search token) within the scope of a specific [Coveo organization](https://docs.coveo.com/en/185/).

**Request template:**

```http
POST https://platform.cloud.coveo.com/rest/organizations/<MyOrganizationId>/privileges/token?accessToken=<MyAccessTokenToValidate> HTTP/1.1

Accept: application/json
Content-Type: application-json
Authorization: Bearer <MyAccessToken>
```

**Payload:**

```json
{}
```

In the request path:

* Replace `<MyorganizationId>` with the [ID of the target Coveo organization](https://docs.coveo.com/en/148/).

* Replace `<MyAccessTokenToValidate>` with the access token whose privileges you want to retrieve.

In the `Authorization` HTTP header:

* Replace `<MyAccessToken>` with a valid Coveo access token (API key or OAuth2 token).
This access token doesn't need to have any privileges in the target Coveo organization, if not already done.

The body of a successful response (`200 OK`) contains the [list of privileges](#valid-owner-targetdomain-and-type-combinations) granted by the token that corresponds to the `accessToken` you provide as a query string argument.
These privileges only apply within the target Coveo organization.

## Valid owner, targetDomain, and type combinations

Each [Coveo Platform](https://docs.coveo.com/en/186/) REST API operation has its own set of minimum required [privileges](https://docs.coveo.com/en/228/).

A privilege is represented by a valid combination of an `owner` value (`USAGE_ANALYTICS`, `COVEO_ML`, `PLATFORM`, or `SEARCH_API`) and a `targetDomain` value (such as `REPORTS`, `SOURCE`, or `EXECUTE_QUERY`).
Most privileges must also have a `type` value (`CREATE`, `VIEW`, or `EDIT`).

[Some domains](https://docs.coveo.com/en/1707/) offer the [Custom access level](https://docs.coveo.com/en/3151#custom-access-level) option.
This lets you grant each API key, source, group, or extension its own access level.

## Sample request

**Getting the privileges of an access token:**

```http
POST https://platform.cloud.coveo.com/rest/organizations/mycoveocloudv2organizationg8tp8wu3/privileges/token?accessToken=xx590a182c-5045-4914-a00b-1f4099581b3e HTTP/1.1

Accept: application/json
Content-Type: application-json
Authorization: Bearer **********-****-****-****-************
```

**Payload:**

```json
{}
```

**Successful response - 200 OK:**

```json
[
  {
    "targetDomain": "EXECUTE_QUERY",
    "targetIds": [],
    "owner": "SEARCH_API",
    "global": false
  },
  {
    "type": "EDIT",
    "targetDomain": "ANALYTICS_DATA",
    "targetIds": [],
    "owner": "USAGE_ANALYTICS",
    "global": false
  }
]
```