diff --git a/docs/resources/api_token.md b/docs/resources/api_token.md
index 34b094ee..89ed9a8b 100644
--- a/docs/resources/api_token.md
+++ b/docs/resources/api_token.md
@@ -17,7 +17,6 @@ resource "astro_api_token" "example" {
   name        = "api token"
   description = "api token description"
   type        = "ORGANIZATION"
-  role        = "ORGANIZATION_OWNER"
   roles = [{
     "role" : "ORGANIZATION_OWNER",
     "entity_id" : "clx42kkcm01fo01o06agtmshg",
@@ -30,7 +29,6 @@ resource "astro_api_token" "example" {
   name        = "api token"
   description = "api token description"
   type        = "ORGANIZATION"
-  role        = "ORGANIZATION_OWNER"
   roles = [{
     "role" : "ORGANIZATION_OWNER",
     "entity_id" : "clx42kkcm01fo01o06agtmshg",
@@ -52,7 +50,6 @@ resource "astro_api_token" "example_workspace_token" {
   name        = "workspace api token"
   description = "workspace api token description"
   type        = "WORKSPACE"
-  role        = "WORKSPACE_OWNER"
   roles = [{
     "role" : "WORKSPACE_OWNER",
     "entity_id" : "clx42sxw501gl01o0gjenthnh",
@@ -64,7 +61,6 @@ resource "astro_api_token" "example_workspace_token_with_deployment_role" {
   name        = "workspace api token"
   description = "workspace api token description"
   type        = "WORKSPACE"
-  role        = "WORKSPACE_OWNER"
   roles = [{
     "role" : "WORKSPACE_OWNER",
     "entity_id" : "clx42sxw501gl01o0gjenthnh",
@@ -84,9 +80,8 @@ resource "astro_api_token" "example_workspace_token_with_deployment_role" {
 ### Required
 
 - `name` (String) API Token name
-- `role` (String) The role assigned to the API Token
 - `roles` (Attributes Set) The roles assigned to the API Token (see [below for nested schema](#nestedatt--roles))
-- `type` (String) API Token type
+- `type` (String) API Token type - if changing this value, the API Token will be recreated with the new type
 
 ### Optional
 
diff --git a/examples/resources/astro_api_token/resource.tf b/examples/resources/astro_api_token/resource.tf
index cb5bca61..562ca09a 100644
--- a/examples/resources/astro_api_token/resource.tf
+++ b/examples/resources/astro_api_token/resource.tf
@@ -2,7 +2,6 @@ resource "astro_api_token" "example" {
   name        = "api token"
   description = "api token description"
   type        = "ORGANIZATION"
-  role        = "ORGANIZATION_OWNER"
   roles = [{
     "role" : "ORGANIZATION_OWNER",
     "entity_id" : "clx42kkcm01fo01o06agtmshg",
@@ -15,7 +14,6 @@ resource "astro_api_token" "example" {
   name        = "api token"
   description = "api token description"
   type        = "ORGANIZATION"
-  role        = "ORGANIZATION_OWNER"
   roles = [{
     "role" : "ORGANIZATION_OWNER",
     "entity_id" : "clx42kkcm01fo01o06agtmshg",
@@ -37,7 +35,6 @@ resource "astro_api_token" "example_workspace_token" {
   name        = "workspace api token"
   description = "workspace api token description"
   type        = "WORKSPACE"
-  role        = "WORKSPACE_OWNER"
   roles = [{
     "role" : "WORKSPACE_OWNER",
     "entity_id" : "clx42sxw501gl01o0gjenthnh",
@@ -49,7 +46,6 @@ resource "astro_api_token" "example_workspace_token_with_deployment_role" {
   name        = "workspace api token"
   description = "workspace api token description"
   type        = "WORKSPACE"
-  role        = "WORKSPACE_OWNER"
   roles = [{
     "role" : "WORKSPACE_OWNER",
     "entity_id" : "clx42sxw501gl01o0gjenthnh",
diff --git a/internal/provider/models/api_token.go b/internal/provider/models/api_token.go
index 950c954e..5dc8955b 100644
--- a/internal/provider/models/api_token.go
+++ b/internal/provider/models/api_token.go
@@ -43,7 +43,6 @@ type ApiTokenResource struct {
 	UpdatedBy          types.Object `tfsdk:"updated_by"`
 	ExpiryPeriodInDays types.Int64  `tfsdk:"expiry_period_in_days"`
 	LastUsedAt         types.String `tfsdk:"last_used_at"`
-	Role               types.String `tfsdk:"role"`
 	Roles              types.Set    `tfsdk:"roles"`
 	Token              types.String `tfsdk:"token"`
 }
@@ -88,7 +87,7 @@ func (data *ApiTokenDataSource) ReadFromResponse(ctx context.Context, apiToken *
 	return diags
 }
 
-func (data *ApiTokenResource) ReadFromResponse(ctx context.Context, apiToken *iam.ApiToken, role *string) diag.Diagnostics {
+func (data *ApiTokenResource) ReadFromResponse(ctx context.Context, apiToken *iam.ApiToken) diag.Diagnostics {
 	var diags diag.Diagnostics
 	data.Id = types.StringValue(apiToken.Id)
 	data.Name = types.StringValue(apiToken.Name)
@@ -123,7 +122,6 @@ func (data *ApiTokenResource) ReadFromResponse(ctx context.Context, apiToken *ia
 	} else {
 		data.LastUsedAt = types.StringValue("")
 	}
-	data.Role = types.StringPointerValue(role)
 	data.Roles, diags = utils.ObjectSet(ctx, apiToken.Roles, schemas.ApiTokenRoleAttributeTypes(), ApiTokenRoleTypesObject)
 	if diags.HasError() {
 		return diags
diff --git a/internal/provider/resources/resource_api_token.go b/internal/provider/resources/resource_api_token.go
index 089daf6f..079e5238 100644
--- a/internal/provider/resources/resource_api_token.go
+++ b/internal/provider/resources/resource_api_token.go
@@ -97,13 +97,10 @@ func (r *ApiTokenResource) Create(
 		return
 	}
 
-	role := data.Role.ValueString()
-	if len(role) == 0 {
-		role, _, diags = RequestApiTokenRole(ctx, roles, data.Type.ValueString())
-		if diags != nil {
-			resp.Diagnostics.Append(diags...)
-			return
-		}
+	role, _, diags := RequestApiTokenRole(roles, data.Type.ValueString())
+	if diags != nil {
+		resp.Diagnostics.Append(diags...)
+		return
 	}
 
 	// Create the API token request
@@ -116,7 +113,7 @@ func (r *ApiTokenResource) Create(
 	// If the entity type is WORKSPACE or DEPLOYMENT, set the entity id
 	if createApiTokenRequest.Type == iam.WORKSPACE || createApiTokenRequest.Type == iam.DEPLOYMENT {
 		var entityId string
-		_, entityId, diags = RequestApiTokenRole(ctx, roles, data.Type.ValueString())
+		_, entityId, diags = RequestApiTokenRole(roles, data.Type.ValueString())
 		if diags != nil {
 			resp.Diagnostics.Append(diags...)
 			return
@@ -196,7 +193,7 @@ func (r *ApiTokenResource) Create(
 		return
 	}
 
-	diags = data.ReadFromResponse(ctx, apiTokenResp.JSON200, data.Role.ValueStringPointer())
+	diags = data.ReadFromResponse(ctx, apiTokenResp.JSON200)
 	if diags.HasError() {
 		resp.Diagnostics.Append(diags...)
 		return
@@ -249,7 +246,7 @@ func (r *ApiTokenResource) Read(
 		return
 	}
 
-	diags := data.ReadFromResponse(ctx, apiToken.JSON200, data.Role.ValueStringPointer())
+	diags := data.ReadFromResponse(ctx, apiToken.JSON200)
 	if diags.HasError() {
 		resp.Diagnostics.Append(diags...)
 		return
@@ -353,7 +350,7 @@ func (r *ApiTokenResource) Update(
 		return
 	}
 
-	diags = data.ReadFromResponse(ctx, apiTokenResp.JSON200, data.Role.ValueStringPointer())
+	diags = data.ReadFromResponse(ctx, apiTokenResp.JSON200)
 	if diags.HasError() {
 		resp.Diagnostics.Append(diags...)
 		return
@@ -430,13 +427,10 @@ func (r *ApiTokenResource) ValidateConfig(
 		return
 	}
 
-	tokenRole := data.Role.ValueString()
-	if len(tokenRole) == 0 {
-		tokenRole, _, diags = RequestApiTokenRole(ctx, roles, data.Type.ValueString())
-		if diags != nil {
-			resp.Diagnostics.Append(diags...)
-			return
-		}
+	tokenRole, _, diags := RequestApiTokenRole(roles, data.Type.ValueString())
+	if diags != nil {
+		resp.Diagnostics.Append(diags...)
+		return
 	}
 
 	entityType := data.Type.ValueString()
@@ -553,7 +547,7 @@ func RequestApiTokenRoles(ctx context.Context, apiTokenRolesObjSet types.Set) ([
 	return apiTokenRoles, nil
 }
 
-func RequestApiTokenRole(ctx context.Context, roles []iam.ApiTokenRole, entityType string) (string, string, diag.Diagnostics) {
+func RequestApiTokenRole(roles []iam.ApiTokenRole, entityType string) (string, string, diag.Diagnostics) {
 	for _, role := range roles {
 		if role.EntityType == iam.ApiTokenRoleEntityType(entityType) {
 			return role.Role, role.EntityId, nil
diff --git a/internal/provider/schemas/api_token.go b/internal/provider/schemas/api_token.go
index bf6fe496..88a12ab7 100644
--- a/internal/provider/schemas/api_token.go
+++ b/internal/provider/schemas/api_token.go
@@ -101,7 +101,7 @@ func ApiTokenResourceSchemaAttributes() map[string]resourceSchema.Attribute {
 			Computed:            true,
 		},
 		"type": resourceSchema.StringAttribute{
-			MarkdownDescription: "API Token type",
+			MarkdownDescription: "API Token type - if changing this value, the API Token will be recreated with the new type",
 			Required:            true,
 			Validators: []validator.String{
 				stringvalidator.OneOf(string(iam.ApiTokenTypeORGANIZATION),
@@ -109,6 +109,9 @@ func ApiTokenResourceSchemaAttributes() map[string]resourceSchema.Attribute {
 					string(iam.ApiTokenRoleEntityTypeDEPLOYMENT),
 				),
 			},
+			PlanModifiers: []planmodifier.String{
+				stringplanmodifier.RequiresReplaceIfConfigured(),
+			},
 		},
 		"start_at": resourceSchema.StringAttribute{
 			MarkdownDescription: "time when the API token will become valid in UTC",
@@ -144,22 +147,6 @@ func ApiTokenResourceSchemaAttributes() map[string]resourceSchema.Attribute {
 			MarkdownDescription: "API Token last used timestamp",
 			Computed:            true,
 		},
-		"role": resourceSchema.StringAttribute{
-			MarkdownDescription: "The role assigned to the API Token",
-			Required:            true,
-			Validators: []validator.String{
-				stringvalidator.OneOf(string(iam.ORGANIZATIONBILLINGADMIN),
-					string(iam.ORGANIZATIONMEMBER),
-					string(iam.ORGANIZATIONOWNER),
-					string(iam.WORKSPACEACCESSOR),
-					string(iam.WORKSPACEAUTHOR),
-					string(iam.WORKSPACEMEMBER),
-					string(iam.WORKSPACEOWNER),
-					string(iam.WORKSPACEOPERATOR),
-					"DEPLOYMENT_ADMIN",
-				),
-			},
-		},
 		"roles": resourceSchema.SetNestedAttribute{
 			NestedObject: resourceSchema.NestedAttributeObject{
 				Attributes: ResourceApiTokenRoleSchemaAttributes(),