In April 2025, we are implementing a breaking change to the DigitalOcean API that fixes an incomplete resource authorization issue. You may need to recreate API tokens with additional scopes to retain the same functionality, depending on your use cases.
Currently, customers can use endpoints for one resource type to perform actions on other resource types, even if their API token lacks the necessary scopes for the other resource types. For example, using an API token that has droplet:create but not tags:create, you can call POST /v2/droplets to create a new tag along with the new Droplet.
When the fix is implemented, API tokens must have all necessary scopes to interact with resources, regardless of the endpoint.
Before April 2025, when this fix is implemented, you should:
Find any instances where you’re using the DigitalOcean API to create, view, update, or delete resources of one type through endpoints for another resource type (like creating a tag while creating a Droplet).
Based on those instances, review the scopes on your API tokens. Your token needs to have all appropriate scopes to interact with those resources, regardless of the endpoint.
If necessary, create a new API token with the additional scopes you need, then update any token integrations with the new token and revoke the old token.
Existing tokens will continue to work until their assigned expiration, but will have appropriately restricted access based on their scopes.