diff --git a/pydatalab/src/pydatalab/permissions.py b/pydatalab/src/pydatalab/permissions.py
index 0bfd4f8e8..7a0dee1a9 100644
--- a/pydatalab/src/pydatalab/permissions.py
+++ b/pydatalab/src/pydatalab/permissions.py
@@ -1,4 +1,5 @@
 from functools import wraps
+from hashlib import sha512
 from typing import Any
 
 from bson import ObjectId
@@ -9,7 +10,7 @@
 from pydatalab.logger import LOGGER
 from pydatalab.login import UserRole
 from pydatalab.models.people import AccountStatus
-from pydatalab.mongo import get_database
+from pydatalab.mongo import flask_mongo, get_database
 
 PUBLIC_USER_ID = ObjectId(24 * "0")
 
@@ -17,11 +18,24 @@
 def active_users_or_get_only(func):
     """Decorator to ensure that only active user accounts can access the route,
     unless it is a GET-route, in which case deactivated accounts can also access it.
-
+    Now also allows access with valid access tokens.
     """
 
     @wraps(func)
     def wrapped_route(*args, **kwargs):
+        access_token = request.args.get("at")
+        refcode = kwargs.get("refcode")
+
+        if not refcode and access_token:
+            path_parts = request.path.strip("/").split("/")
+            if len(path_parts) >= 2 and path_parts[0] == "items":
+                refcode = path_parts[1]
+
+        if access_token and refcode:
+            token_valid = check_access_token(refcode, access_token)
+            if token_valid:
+                return func(*args, **kwargs)
+
         if (
             (
                 current_user.is_authenticated
@@ -60,7 +74,37 @@ def wrapped_route(*args, **kwargs):
     return wrapped_route
 
 
-def get_default_permissions(user_only: bool = True, deleting: bool = False) -> dict[str, Any]:
+def check_access_token(refcode: str, token: str | None = None) -> bool:
+    """Check whether the provided access token exists in the get_database
+    and corresponds to the relevant refcode.
+
+    Returns:
+        Whether or not the token can read the item.
+
+    """
+
+    if not token or not refcode:
+        return False
+
+    try:
+        if len(refcode.split(":")) != 2:
+            refcode = f"{CONFIG.IDENTIFIER_PREFIX}:{refcode}"
+
+        token_hash = sha512(token.encode("utf-8")).hexdigest()
+
+        access_token_doc = flask_mongo.db.api_keys.find_one(
+            {"token": token_hash, "refcode": refcode, "active": True, "type": "access_token"}
+        )
+
+        return bool(access_token_doc)
+
+    except Exception:
+        return False
+
+
+def get_default_permissions(
+    user_only: bool = True, deleting: bool = False, elevate_permissions: bool = False
+) -> dict[str, Any]:
     """Return the MongoDB query terms corresponding to the current user.
 
     Will return open permissions if a) the `CONFIG.TESTING` parameter is `True`,
@@ -70,6 +114,8 @@ def get_default_permissions(user_only: bool = True, deleting: bool = False) -> d
         user_only: Whether to exclude items that also have no attached user (`False`),
             i.e., public items. This should be set to `False` when reading (and wanting
             to return public items), but left as `True` when modifying or removing items.
+        elevate_permissions: Whether to elevate this query's permissions, i.e., in the case
+            that an item-specific access token has been provided elsewhere.
 
     """
 
@@ -84,6 +130,12 @@ def get_default_permissions(user_only: bool = True, deleting: bool = False) -> d
     ):
         return {}
 
+    if elevate_permissions:
+        LOGGER.warning(
+            "Permissions check with elevated permissions, likely due to access token usage"
+        )
+        return {}
+
     null_perm = {
         "$or": [
             {"creator_ids": {"$size": 0}},
diff --git a/pydatalab/src/pydatalab/routes/v0_1/admin.py b/pydatalab/src/pydatalab/routes/v0_1/admin.py
index c95334073..bd2d0c74d 100644
--- a/pydatalab/src/pydatalab/routes/v0_1/admin.py
+++ b/pydatalab/src/pydatalab/routes/v0_1/admin.py
@@ -1,3 +1,5 @@
+import datetime
+
 from bson import ObjectId
 from flask import Blueprint, jsonify, request
 from flask_login import current_user
@@ -93,3 +95,84 @@ def save_role(user_id):
         )
 
     return (jsonify({"status": "success"}), 200)
+
+
+@ADMIN.route("/items/<refcode>/invalidate-access-token", methods=["POST"])
+def invalidate_access_token(refcode: str):
+    if len(refcode.split(":")) != 2:
+        refcode = f"{CONFIG.IDENTIFIER_PREFIX}:{refcode}"
+
+    query = {"refcode": refcode, "active": True, "type": "access_token"}
+
+    response = flask_mongo.db.api_keys.update_one(
+        query,
+        {
+            "$set": {
+                "active": False,
+                "invalidated_at": datetime.datetime.now(tz=datetime.timezone.utc),
+                "invalidated_by": ObjectId(current_user.id),
+            }
+        },
+    )
+
+    if response.modified_count == 1:
+        return jsonify({"status": "success"}), 200
+    else:
+        return jsonify({"status": "error", "detail": "Token not found or already invalidated"}), 404
+
+
+@ADMIN.route("/access-tokens", methods=["GET"])
+def list_access_tokens():
+    """List all access tokens with their status and metadata."""
+
+    pipeline = [
+        {"$match": {"type": "access_token"}},
+        {
+            "$lookup": {
+                "from": "items",
+                "localField": "refcode",
+                "foreignField": "refcode",
+                "as": "item_info",
+            }
+        },
+        {
+            "$lookup": {
+                "from": "users",
+                "localField": "user",
+                "foreignField": "_id",
+                "as": "user_info",
+            }
+        },
+        {
+            "$project": {
+                "_id": 1,
+                "refcode": 1,
+                "active": 1,
+                "created_at": 1,
+                "invalidated_at": 1,
+                "token": "$token",
+                "item_name": {
+                    "$cond": {
+                        "if": {"$gt": [{"$size": "$item_info"}, 0]},
+                        "then": {"$arrayElemAt": ["$item_info.name", 0]},
+                        "else": None,
+                    }
+                },
+                "item_id": {"$arrayElemAt": ["$item_info.item_id", 0]},
+                "item_type": {
+                    "$cond": {
+                        "if": {"$gt": [{"$size": "$item_info"}, 0]},
+                        "then": {"$arrayElemAt": ["$item_info.type", 0]},
+                        "else": "deleted",
+                    }
+                },
+                "created_by": {"$arrayElemAt": ["$user_info.display_name", 0]},
+                "created_by_info": {"$arrayElemAt": ["$user_info", 0]},
+            }
+        },
+        {"$sort": {"created_at": -1}},
+    ]
+
+    tokens = list(flask_mongo.db.api_keys.aggregate(pipeline))
+
+    return jsonify({"status": "success", "tokens": tokens}), 200
diff --git a/pydatalab/src/pydatalab/routes/v0_1/items.py b/pydatalab/src/pydatalab/routes/v0_1/items.py
index a886f57e2..f0c8d4a87 100644
--- a/pydatalab/src/pydatalab/routes/v0_1/items.py
+++ b/pydatalab/src/pydatalab/routes/v0_1/items.py
@@ -1,5 +1,7 @@
 import datetime
 import json
+import uuid
+from hashlib import sha512
 
 from bson import ObjectId
 from flask import Blueprint, jsonify, redirect, request
@@ -18,7 +20,12 @@
 from pydatalab.models.relationships import RelationshipType
 from pydatalab.models.utils import generate_unique_refcode
 from pydatalab.mongo import ITEMS_FTS_FIELDS, flask_mongo
-from pydatalab.permissions import PUBLIC_USER_ID, active_users_or_get_only, get_default_permissions
+from pydatalab.permissions import (
+    PUBLIC_USER_ID,
+    active_users_or_get_only,
+    check_access_token,
+    get_default_permissions,
+)
 
 ITEMS = Blueprint("items", __name__)
 
@@ -746,16 +753,79 @@ def update_item_permissions(refcode: str):
     return jsonify({"status": "success"}), 200
 
 
+@ITEMS.route("/items/<refcode>/issue-access-token", methods=["POST"])
+def issue_physical_token(refcode: str):
+    """Issue a token that will give semi-permanent access to an
+    item with this refcode. This should be used when generating
+    physical labels to attach to a container.
+
+    """
+
+    if len(refcode.split(":")) != 2:
+        refcode = f"{CONFIG.IDENTIFIER_PREFIX}:{refcode}"
+
+    current_item = flask_mongo.db.items.find_one(
+        {"refcode": refcode, **get_default_permissions(user_only=True)},
+        {"refcode": 1},
+    )
+
+    if not current_item:
+        return jsonify(
+            {
+                "status": "error",
+                "message": f"No valid item found with the given {refcode=}.",
+            }
+        ), 404
+
+    existing_token = flask_mongo.db.api_keys.find_one(
+        {"refcode": refcode, "active": True, "type": "access_token"}
+    )
+
+    if existing_token:
+        return jsonify(
+            {
+                "status": "error",
+                "message": "An active access token already exists for this item. Please invalidate it first.",
+            }
+        ), 409
+
+    # Generate token and store it in `api_keys` collection
+    token = str(uuid.uuid1())
+    access_document = {
+        "token": sha512(token.encode("utf-8")).hexdigest(),
+        "refcode": refcode,
+        "user": ObjectId(current_user.id),
+        "active": True,
+        "created_at": datetime.datetime.now(tz=datetime.timezone.utc),
+        "type": "access_token",
+    }
+
+    try:
+        result = flask_mongo.db.api_keys.insert_one(access_document)
+        if not result.inserted_id:
+            return jsonify(
+                {"status": "error", "message": "Unknown error generating token for item."}
+            ), 500
+    except Exception as e:
+        LOGGER.error(f"Error inserting access token: {e}")
+        return jsonify(
+            {"status": "error", "message": "Database error generating token for item."}
+        ), 500
+
+    return jsonify({"status": "success", "token": token}), 201
+
+
 @ITEMS.route("/delete-sample/", methods=["POST"])
 def delete_sample():
     request_json = request.get_json()  # noqa: F821 pylint: disable=undefined-variable
     item_id = request_json["item_id"]
 
-    result = flask_mongo.db.items.delete_one(
-        {"item_id": item_id, **get_default_permissions(user_only=True, deleting=True)}
+    item = flask_mongo.db.items.find_one(
+        {"item_id": item_id, **get_default_permissions(user_only=True, deleting=True)},
+        {"refcode": 1},
     )
 
-    if result.deleted_count != 1:
+    if not item:
         return (
             jsonify(
                 {
@@ -765,15 +835,26 @@ def delete_sample():
             ),
             401,
         )
-    return (
-        jsonify(
-            {
-                "status": "success",
-            }
-        ),
-        200,
+
+    result = flask_mongo.db.items.delete_one(
+        {"item_id": item_id, **get_default_permissions(user_only=True, deleting=True)}
     )
 
+    if result.deleted_count != 1:
+        return (
+            jsonify(
+                {
+                    "status": "error",
+                    "message": f"Failed to delete item with {item_id=}.",
+                }
+            ),
+            400,
+        )
+
+    flask_mongo.db.api_keys.delete_many({"refcode": item["refcode"], "type": "access_token"})
+
+    return jsonify({"status": "success"}), 200
+
 
 @ITEMS.route("/items/<refcode>", methods=["GET"])
 @ITEMS.route("/get-item-data/<item_id>", methods=["GET"])
@@ -781,9 +862,18 @@ def get_item_data(item_id: str | None = None, refcode: str | None = None):
     """Generates a JSON response for the item with the given `item_id`,
     or `refcode` additionally resolving relationships to files and other items.
     """
+
     redirect_to_ui = bool(request.args.get("redirect-to-ui", default=False, type=json.loads))
+    access_token = request.args.get("at")
     if refcode and redirect_to_ui and CONFIG.APP_URL:
-        return redirect(f"{CONFIG.APP_URL}/items/{refcode}", code=307)
+        redirect_url = f"{CONFIG.APP_URL}/items/{refcode}"
+        if access_token:
+            redirect_url += f"?at={access_token}"
+        return redirect(redirect_url, code=307)
+
+    valid_access_token = False
+    if refcode and access_token:
+        valid_access_token = check_access_token(refcode, access_token)
 
     if item_id:
         match = {"item_id": item_id}
@@ -809,7 +899,9 @@ def get_item_data(item_id: str | None = None, refcode: str | None = None):
             {
                 "$match": {
                     **match,
-                    **get_default_permissions(user_only=False),
+                    **get_default_permissions(
+                        user_only=False, elevate_permissions=valid_access_token
+                    ),
                 }
             },
             {"$lookup": creators_lookup()},
@@ -823,11 +915,7 @@ def get_item_data(item_id: str | None = None, refcode: str | None = None):
     except IndexError:
         doc = None
 
-    if not doc or (
-        not current_user.is_authenticated
-        and not CONFIG.TESTING
-        and doc["type"] != "starting_materials"
-    ):
+    if not doc:
         return (
             jsonify(
                 {
@@ -1026,7 +1114,7 @@ def save_item():
     item.pop("creators")
 
     result = flask_mongo.db.items.update_one(
-        {"item_id": item_id},
+        {"item_id": item_id, **get_default_permissions(user_only=True)},
         {"$set": item},
     )
 
@@ -1081,3 +1169,67 @@ def search_users():
     return jsonify(
         {"status": "success", "users": list(json.loads(Person(**d).json()) for d in cursor)}
     ), 200
+
+
+@ITEMS.route("/items/<refcode>/access-token-info", methods=["GET"])
+def get_access_token_info(refcode: str):
+    """Get information about existing access token for this item (if any).
+
+    Returns token info (with masked token) if user has permissions to this item.
+    """
+    access_token = request.args.get("at")
+    if access_token and check_access_token(refcode, access_token):
+        pass
+    elif not (current_user.is_authenticated):
+        return jsonify({"status": "error", "message": "Authentication required."}), 401
+
+    if len(refcode.split(":")) != 2:
+        refcode = f"{CONFIG.IDENTIFIER_PREFIX}:{refcode}"
+
+    current_item = flask_mongo.db.items.find_one(
+        {"refcode": refcode, **get_default_permissions(user_only=True)},
+        {"refcode": 1},
+    )
+
+    if not current_item:
+        return jsonify(
+            {
+                "status": "error",
+                "message": f"No valid item found with the given {refcode=}.",
+            }
+        ), 404
+
+    existing_token = flask_mongo.db.api_keys.find_one(
+        {"refcode": refcode, "active": True, "type": "access_token"},
+        {"token": 1, "created_at": 1, "user": 1},
+    )
+
+    if existing_token:
+        token_hash = existing_token["token"]
+        masked_token = token_hash[:8] + "..." + token_hash[-8:]
+
+        user_info = None
+        if existing_token.get("user"):
+            user_doc = flask_mongo.db.users.find_one(
+                {"_id": existing_token["user"]}, {"display_name": 1, "contact_email": 1}
+            )
+            if user_doc:
+                user_info = {
+                    "display_name": user_doc.get("display_name"),
+                    "contact_email": user_doc.get("contact_email"),
+                }
+
+        return jsonify(
+            {
+                "status": "success",
+                "has_token": True,
+                "token_info": {
+                    "token": masked_token,
+                    "created_at": existing_token["created_at"],
+                    "created_by": str(existing_token["user"]),
+                    "created_by_info": user_info,
+                },
+            }
+        ), 200
+    else:
+        return jsonify({"status": "success", "has_token": False}), 200
diff --git a/pydatalab/tests/server/test_permissions.py b/pydatalab/tests/server/test_permissions.py
index b149d958a..4d96e5f5c 100644
--- a/pydatalab/tests/server/test_permissions.py
+++ b/pydatalab/tests/server/test_permissions.py
@@ -84,3 +84,47 @@ def test_basic_permissions_update(admin_client, admin_user_id, client, user_id):
     # but that the admin still remains the creator
     response = admin_client.get(f"/items/{refcode}")
     assert response.status_code == 200
+
+
+def test_access_token_permissions(client, unauthenticated_client, admin_client, database):
+    response = client.post("/new-sample/", json={"type": "samples", "item_id": "private-sample"})
+    assert response.status_code == 201
+    response = response.json
+
+    refcode = response["sample_list_entry"]["refcode"]
+    assert refcode
+
+    response = client.post(f"/items/{refcode}/issue-access-token")
+    response = response.json
+    assert response["status"] == "success"
+    token = response["token"]
+    assert token
+
+    response = unauthenticated_client.get(f"/items/{refcode}")
+    assert response.status_code == 401
+
+    response = unauthenticated_client.get(f"/items/{refcode}?at={token}")
+    assert response.status_code == 200
+
+    response = unauthenticated_client.get(f"/items/{refcode}?at={token}123")
+    assert response.status_code == 401
+
+    response = admin_client.get(f"/items/{refcode}")
+    assert response.status_code == 200
+
+    response = admin_client.get(f"/items/{refcode}?at={token}")
+    assert response.status_code == 200
+
+    database.api_keys.drop()
+
+    response = admin_client.get(f"/items/{refcode}?at={token}")
+    assert response.status_code == 401
+
+    response = client.get(f"/items/{refcode}?at={token}")
+    assert response.status_code == 401
+
+    response = client.get(f"/items/{refcode}")
+    assert response.status_code == 200
+
+    response = unauthenticated_client.get(f"/items/{refcode}?at={token}")
+    assert response.status_code == 401
diff --git a/webapp/src/components/AdminDisplay.vue b/webapp/src/components/AdminDisplay.vue
index c9905f2c6..e7e4a20b1 100644
--- a/webapp/src/components/AdminDisplay.vue
+++ b/webapp/src/components/AdminDisplay.vue
@@ -1,15 +1,24 @@
 <template>
   <div class="admin-display">
-    <template v-if="selectedItem === 'Users'"> <UserTable /> </template>
+    <template v-if="selectedItem === 'Users'">
+      <UserTable />
+    </template>
+    <template v-if="selectedItem === 'Access Tokens'">
+      <TokenTable />
+    </template>
   </div>
 </template>
 
 <script>
 import UserTable from "./UserTable.vue";
+import TokenTable from "./TokenTable.vue";
 
 export default {
   name: "AdminDisplay",
-  components: { UserTable },
+  components: {
+    UserTable,
+    TokenTable,
+  },
   props: {
     selectedItem: {
       type: String,
diff --git a/webapp/src/components/DialogModal.vue b/webapp/src/components/DialogModal.vue
index f7e0eb87c..3566baa9f 100644
--- a/webapp/src/components/DialogModal.vue
+++ b/webapp/src/components/DialogModal.vue
@@ -1,8 +1,12 @@
 <template>
   <Teleport to="body">
-    <div v-if="isVisible" class="modal fade show d-block" @click.self="handleOverlayClick">
-      <div class="modal-dialog modal-dialog-centered">
-        <div class="modal-content">
+    <div
+      v-if="isVisible"
+      class="modal fade show d-block dialog-modal-overlay"
+      @click.self="handleOverlayClick"
+    >
+      <div class="modal-dialog modal-dialog-centered dialog-modal-container">
+        <div class="modal-content dialog-modal-content">
           <div class="modal-header">
             <h5 class="modal-title">{{ title }}</h5>
             <button v-if="showCloseButton" type="button" class="close" @click="cancel">
@@ -54,7 +58,7 @@
         </div>
       </div>
     </div>
-    <div v-if="isVisible" class="modal-backdrop fade show"></div>
+    <div v-if="isVisible" class="modal-backdrop fade show dialog-modal-backdrop"></div>
   </Teleport>
 </template>
 
@@ -130,3 +134,13 @@ export default {
   },
 };
 </script>
+
+<style scoped>
+.dialog-modal-overlay {
+  z-index: 9999 !important;
+}
+
+.dialog-modal-backdrop {
+  z-index: 9998 !important;
+}
+</style>
diff --git a/webapp/src/components/QRCode.vue b/webapp/src/components/QRCode.vue
index cff1c60a5..fd7b32d47 100644
--- a/webapp/src/components/QRCode.vue
+++ b/webapp/src/components/QRCode.vue
@@ -1,10 +1,11 @@
 <template>
   <div class="text-center">
     <QRCodeVue3
-      :value="QRCodeUrl"
+      :key="currentQRCodeUrl"
+      :value="currentQRCodeUrl"
       :width="width"
       :height="width"
-      :qr-options="{ typeNumber: 0, mode: 'Byte', errorCorrectionLevel: 'H' }"
+      :qr-options="{ typeNumber: 0, mode: 'Byte', errorCorrectionLevel: 'Q' }"
       :image-options="{ hideBackgroundDots: false, imageSize: 0, margin: 0 }"
       :dots-options="{
         type: 'square',
@@ -15,6 +16,7 @@
       :corners-dot-options="{ type: 'square', color: 'black' }"
       file-ext="png"
     />
+
     <div
       id="qrcode-text-label"
       :style="{ width: width }"
@@ -22,8 +24,82 @@
     >
       {{ refcode }}
     </div>
+
+    <div class="mt-2">
+      <span v-if="!isPublicMode" class="badge bg-primary">Private QR Code</span>
+      <span v-else class="badge bg-warning text-dark">Public QR Code</span>
+    </div>
+  </div>
+
+  <div v-if="isLoading" class="text-center mt-3">
+    <div class="spinner-border spinner-border-sm" role="status">
+      <span class="visually-hidden">Loading...</span>
+    </div>
+    <small class="d-block mt-1">Checking existing tokens...</small>
+  </div>
+
+  <div v-else-if="!isPublicMode" class="mt-3">
+    <div class="alert alert-info">
+      <strong v-if="hasExistingToken">Public QR Code Available:</strong>
+      <strong v-else>Generate Public QR Code:</strong>
+      <br />
+      <span v-if="hasExistingToken">
+        A public QR code already exists for this item. You can view it or generate a new one if
+        needed.
+      </span>
+      <span v-else>
+        This QR code requires authentication to access. You can generate a public QR code that
+        allows access without login.
+      </span>
+    </div>
+
+    <button
+      class="btn w-100"
+      :class="hasExistingToken ? 'btn-info' : 'btn-warning'"
+      :disabled="isGenerating"
+      @click.prevent="hasExistingToken ? switchToPublic() : generatePublicQRCode()"
+    >
+      <span v-if="isGenerating">
+        <span class="spinner-border spinner-border-sm me-2" role="status"></span>
+        Generating...
+      </span>
+      <span v-else-if="hasExistingToken"> <i class="fas fa-eye me-2"></i>View Public QR Code </span>
+      <span v-else> <i class="fas fa-unlock me-2"></i>Generate Public QR Code </span>
+    </button>
+  </div>
+
+  <div v-else class="mt-3">
+    <div class="alert alert-warning">
+      <strong><i class="fas fa-exclamation-triangle me-2"></i>Public QR Code Active</strong><br />
+      This QR code can be accessed by anyone with the link. No authentication required.
+      <div class="mt-2">
+        <small><strong>Created:</strong> {{ formattedCreationDate }}</small>
+      </div>
+    </div>
+
+    <div class="row g-2">
+      <div class="col-6">
+        <button class="btn btn-outline-info w-100" @click="switchToPrivate">
+          <i class="fas fa-eye me-1"></i>View Private QRCode
+        </button>
+      </div>
+      <div class="col-6">
+        <button
+          class="btn btn-outline-danger w-100"
+          :disabled="isInvalidating"
+          @click.stop.prevent="invalidateToken"
+        >
+          <i class="fas fa-trash me-1"></i>Delete Token
+        </button>
+      </div>
+    </div>
+  </div>
+
+  <div v-if="errorMessage" class="alert alert-danger mt-3">
+    <i class="fas fa-exclamation-triangle me-2"></i>{{ errorMessage }}
   </div>
-  <div v-if="!federatedQR" class="alert alert-info">
+
+  <div v-if="!federatedQR" class="alert alert-info mt-3">
     QR_CODE_RESOLVER_URL is not set to the federation resolver URL for this deployment.<br />
     Links embedded within QR codes generated here will only work if this <i>datalab</i> instance
     remains at the same URL.<br /><br />
@@ -35,6 +111,9 @@
 
 <script>
 import QRCodeVue3 from "qrcode-vue3";
+
+import { DialogService } from "@/services/DialogService";
+
 import { FEDERATION_QR_CODE_RESOLVER_URL, QR_CODE_RESOLVER_URL, API_URL } from "@/resources.js";
 
 export default {
@@ -52,23 +131,204 @@ export default {
       default: 200,
     },
   },
+  emits: ["public-token-generated", "public-token-invalidated"],
   data() {
     return {
       federationQRCodeUrl: FEDERATION_QR_CODE_RESOLVER_URL,
+      isPublicMode: false,
+      publicToken: null,
+      tokenInfo: null,
+      isLoading: false,
+      isGenerating: false,
+      isInvalidating: false,
+      errorMessage: null,
     };
   },
   computed: {
     federatedQR() {
       return FEDERATION_QR_CODE_RESOLVER_URL == QR_CODE_RESOLVER_URL;
     },
-    QRCodeUrl() {
-      // If the QR_CODE_RESOLVER_URL is not set, use the API_URL
-      // with the redirect-to-ui option
+    privateQRCodeUrl() {
       if (QR_CODE_RESOLVER_URL == null) {
         return API_URL + "/items/" + this.refcode + "?redirect-to-ui=true";
       }
       return QR_CODE_RESOLVER_URL + "/" + this.refcode;
     },
+    publicQRCodeUrl() {
+      if (!this.publicToken) return this.privateQRCodeUrl;
+
+      if (QR_CODE_RESOLVER_URL == null) {
+        return `${API_URL}/items/${this.refcode}?redirect-to-ui=true&at=${this.publicToken}`;
+      }
+      return `${QR_CODE_RESOLVER_URL}/${this.refcode}?at=${this.publicToken}`;
+    },
+    currentQRCodeUrl() {
+      const url = this.isPublicMode ? this.publicQRCodeUrl : this.privateQRCodeUrl;
+      return url;
+    },
+    formattedCreationDate() {
+      if (!this.tokenInfo?.created_at) return "Unknown";
+
+      try {
+        const date = new Date(this.tokenInfo.created_at);
+        return date.toLocaleDateString() + " at " + date.toLocaleTimeString();
+      } catch {
+        return "Unknown";
+      }
+    },
+    hasExistingToken() {
+      return this.tokenInfo && this.publicToken === "existing-token";
+    },
+  },
+  mounted() {
+    this.checkExistingToken();
+  },
+  beforeUnmount() {
+    this.errorMessage = null;
+  },
+  methods: {
+    async checkExistingToken() {
+      this.isLoading = true;
+      this.errorMessage = null;
+
+      const urlParams = new URLSearchParams(window.location.search);
+      const accessToken = urlParams.get("at");
+      if (accessToken) {
+        this.isLoading = false;
+        return;
+      }
+
+      try {
+        const response = await fetch(`${API_URL}/items/${this.refcode}/access-token-info`, {
+          method: "GET",
+          credentials: "include",
+        });
+
+        const data = await response.json();
+
+        if (response.ok && data.status === "success") {
+          if (data.has_token) {
+            this.tokenInfo = data.token_info;
+            this.publicToken = "existing-token";
+          }
+        } else if (response.status === 404) {
+          console.debug("No access to item or item not found");
+        } else {
+          console.warn("Error checking token:", data.message);
+        }
+      } catch (error) {
+        console.error("Error checking existing token:", error);
+      } finally {
+        this.isLoading = false;
+      }
+    },
+    async generatePublicQRCode() {
+      setTimeout(async () => {
+        const confirmed = await DialogService.confirm({
+          title: "Generate Public QR Code",
+          message:
+            "This will create a QR code that can be accessed by anyone without authentication. Are you sure you want to proceed?",
+          type: "warning",
+          confirmButtonText: "Generate Public QR Code",
+          cancelButtonText: "Cancel",
+        });
+
+        if (!confirmed) {
+          return;
+        }
+
+        this.isGenerating = true;
+
+        try {
+          const response = await fetch(`${API_URL}/items/${this.refcode}/issue-access-token`, {
+            method: "POST",
+            credentials: "include",
+            headers: {
+              "Content-Type": "application/json",
+            },
+          });
+
+          const data = await response.json();
+
+          if (response.ok && data.status === "success") {
+            this.publicToken = data.token;
+            this.isPublicMode = true;
+            this.tokenInfo = {
+              created_at: new Date().toISOString(),
+              created_by: this.$store.state.currentUserID,
+            };
+            this.$emit("public-token-generated", {
+              refcode: this.refcode,
+              token: data.token,
+            });
+          } else if (response.status === 409) {
+            this.errorMessage =
+              "A public QR code already exists for this item. Please refresh the page to see it.";
+            this.checkExistingToken();
+          } else {
+            throw new Error(data.message || "Failed to generate access token");
+          }
+        } catch (error) {
+          console.error("Error generating public QR code:", error);
+          this.errorMessage = `Failed to generate public QR code: ${error.message}`;
+        } finally {
+          this.isGenerating = false;
+        }
+      }, 100);
+    },
+    async invalidateToken() {
+      const confirmed = await DialogService.confirm({
+        title: "Delete Public QR Code",
+        message:
+          "This will permanently invalidate the public QR code. Anyone with the current link will no longer be able to access this item. Are you sure?",
+        type: "warning",
+        confirmButtonText: "Delete Token",
+        cancelButtonText: "Cancel",
+      });
+
+      if (!confirmed) {
+        return;
+      }
+
+      this.isInvalidating = true;
+      this.errorMessage = null;
+
+      try {
+        const response = await fetch(`${API_URL}/items/${this.refcode}/invalidate-access-token`, {
+          method: "POST",
+          credentials: "include",
+          headers: {
+            "Content-Type": "application/json",
+          },
+          body: JSON.stringify({}),
+        });
+
+        const data = await response.json();
+
+        if (response.ok && data.status === "success") {
+          this.publicToken = null;
+          this.tokenInfo = null;
+          this.isPublicMode = false;
+          this.showInvalidateConfirm = false;
+          this.$emit("public-token-invalidated", { refcode: this.refcode });
+        } else {
+          throw new Error(data.detail || data.message || "Failed to invalidate token");
+        }
+      } catch (error) {
+        console.error("Error invalidating token:", error);
+        this.errorMessage = `Failed to invalidate token: ${error.message}`;
+      } finally {
+        this.isInvalidating = false;
+      }
+    },
+    switchToPrivate() {
+      this.isPublicMode = false;
+      this.errorMessage = null;
+    },
+    switchToPublic() {
+      this.isPublicMode = true;
+      this.errorMessage = null;
+    },
   },
 };
 </script>
diff --git a/webapp/src/components/TokenTable.vue b/webapp/src/components/TokenTable.vue
new file mode 100644
index 000000000..c96e7fa7c
--- /dev/null
+++ b/webapp/src/components/TokenTable.vue
@@ -0,0 +1,205 @@
+<template>
+  <table class="table table-hover table-sm" data-testid="tokens-table">
+    <thead>
+      <tr>
+        <th scope="col">Item</th>
+        <th scope="col">Token Status</th>
+        <th scope="col">Refcode</th>
+        <th scope="col">Item Type</th>
+        <th scope="col">Created By</th>
+        <th scope="col">Date Created</th>
+        <th scope="col">Actions</th>
+      </tr>
+    </thead>
+    <tbody>
+      <tr v-if="isLoading">
+        <td colspan="6" class="text-center">
+          <div class="spinner-border spinner-border-sm" role="status"></div>
+          Loading tokens...
+        </td>
+      </tr>
+      <tr v-else-if="tokens.length === 0">
+        <td colspan="6" class="text-center text-muted">No access tokens found</td>
+      </tr>
+      <tr v-for="token in sortedTokens" v-else :key="token._id">
+        <td align="left">
+          <FormattedItemName
+            v-if="token.item_id"
+            :item_id="token.item_id"
+            :item-type="token.item_type"
+            enable-click
+          />
+        </td>
+        <td align="left">
+          <span v-if="token.active" class="badge badge-success text-uppercase"> Active </span>
+          <span v-else class="badge badge-danger text-uppercase"> Invalidated </span>
+        </td>
+        <td align="left">
+          <FormattedRefcode
+            :refcode="token.refcode"
+            :enable-q-r-code="token.item_type !== 'deleted'"
+          />
+        </td>
+        <td align="left">{{ token.item_type || "Unknown" }}</td>
+        <td>
+          <div v-if="token.created_by_info" class="d-flex align-items-center">
+            <UserBubble :creator="token.created_by_info" :size="24" />
+            <span class="ms-2">{{ token.created_by_info.display_name }}</span>
+          </div>
+          <span v-else class="text-muted">Unknown</span>
+        </td>
+        <td align="left">{{ formatDate(token.created_at) }}</td>
+        <td align="left">
+          <button
+            v-if="token.active"
+            class="btn btn-outline-danger btn-sm text-uppercase text-monospace"
+            :disabled="invalidatingTokens.has(token._id)"
+            @click="confirmInvalidateToken(token)"
+          >
+            <span v-if="invalidatingTokens.has(token._id)"> Invalidating... </span>
+            <span v-else> Invalidate </span>
+          </button>
+          <button
+            v-else
+            class="btn btn-outline-secondary btn-sm text-uppercase text-monospace"
+            disabled
+          >
+            Invalidated
+          </button>
+        </td>
+      </tr>
+    </tbody>
+  </table>
+</template>
+
+<script>
+import { API_URL } from "@/resources.js";
+
+import { DialogService } from "@/services/DialogService";
+
+import FormattedItemName from "@/components/FormattedItemName.vue";
+import FormattedRefcode from "@/components/FormattedRefcode.vue";
+import UserBubble from "@/components/UserBubble.vue";
+
+export default {
+  name: "TokenTable",
+  components: {
+    FormattedRefcode,
+    FormattedItemName,
+    UserBubble,
+  },
+  data() {
+    return {
+      tokens: [],
+      isLoading: false,
+      invalidatingTokens: new Set(),
+    };
+  },
+  computed: {
+    sortedTokens() {
+      return [...this.tokens].sort((a, b) => {
+        if (a.active !== b.active) {
+          return a.active ? -1 : 1;
+        }
+        return new Date(b.created_at) - new Date(a.created_at);
+      });
+    },
+  },
+
+  created() {
+    this.loadTokens();
+  },
+
+  methods: {
+    async loadTokens() {
+      this.isLoading = true;
+
+      try {
+        const response = await fetch(`${API_URL}/access-tokens`, {
+          method: "GET",
+          credentials: "include",
+        });
+
+        const data = await response.json();
+
+        if (response.ok && data.status === "success") {
+          this.tokens = data.tokens;
+        } else {
+          console.error("Failed to load tokens:", data.message);
+        }
+      } catch (error) {
+        console.error("Error loading tokens:", error);
+      } finally {
+        this.isLoading = false;
+      }
+    },
+    async confirmInvalidateToken(token) {
+      const confirmed = await DialogService.confirm({
+        title: "Invalidate Access Token",
+        message: `Are you sure you want to invalidate the access token for <strong>${token.item_id}</strong> (${token.refcode})? <br><br>This action cannot be undone and will immediately block access for anyone using this token.`,
+        type: "error",
+        confirmButtonText: "Invalidate Token",
+        cancelButtonText: "Cancel",
+      });
+
+      if (confirmed) {
+        await this.invalidateToken(token);
+      }
+    },
+    async invalidateToken(token) {
+      this.invalidatingTokens.add(token._id);
+
+      try {
+        const response = await fetch(`${API_URL}/items/${token.refcode}/invalidate-access-token`, {
+          method: "POST",
+          credentials: "include",
+          headers: {
+            "Content-Type": "application/json",
+          },
+          body: JSON.stringify({
+            token: "admin-invalidation",
+          }),
+        });
+
+        const data = await response.json();
+
+        if (response.ok && data.status === "success") {
+          // Mettre à jour le token dans la liste
+          const index = this.tokens.findIndex((t) => t._id === token._id);
+          if (index !== -1) {
+            this.tokens[index].active = false;
+            this.tokens[index].invalidated_at = new Date().toISOString();
+          }
+        } else {
+          alert(`Failed to invalidate token: ${data.detail || data.message}`);
+        }
+      } catch (error) {
+        console.error("Error invalidating token:", error);
+        alert(`Error invalidating token: ${error.message}`);
+      } finally {
+        this.invalidatingTokens.delete(token._id);
+      }
+    },
+
+    formatDate(dateString) {
+      if (!dateString) return "Unknown";
+      try {
+        return new Date(dateString).toLocaleDateString();
+      } catch {
+        return "Invalid date";
+      }
+    },
+  },
+};
+</script>
+
+<style scoped>
+td {
+  vertical-align: middle;
+}
+
+.table-item-id {
+  font-size: 1.2em;
+  font-weight: normal;
+}
+</style>
diff --git a/webapp/src/server_fetch_utils.js b/webapp/src/server_fetch_utils.js
index a41a35531..8f98d2faa 100644
--- a/webapp/src/server_fetch_utils.js
+++ b/webapp/src/server_fetch_utils.js
@@ -445,8 +445,13 @@ export function removeItemsFromCollection(collection_id, refcodes) {
     });
 }
 
-export async function getItemData(item_id) {
-  return fetch_get(`${API_URL}/get-item-data/${item_id}`)
+export async function getItemData(item_id, accessToken = null) {
+  let url = `${API_URL}/get-item-data/${item_id}`;
+  if (accessToken) {
+    url += `?at=${accessToken}`;
+  }
+
+  return fetch_get(url)
     .then((response_json) => {
       store.commit("createItemData", {
         item_id: item_id,
@@ -454,7 +459,6 @@ export async function getItemData(item_id) {
         child_items: response_json.child_items,
         parent_items: response_json.parent_items,
       });
-
       return "success";
     })
     .catch((error) => {
@@ -465,8 +469,13 @@ export async function getItemData(item_id) {
     });
 }
 
-export async function getItemByRefcode(refcode) {
-  return fetch_get(`${API_URL}/items/${refcode}`)
+export async function getItemByRefcode(refcode, accessToken = null) {
+  let url = `${API_URL}/items/${refcode}`;
+  if (accessToken) {
+    url += `?at=${accessToken}`;
+  }
+
+  return fetch_get(url)
     .then((response_json) => {
       store.commit("createItemData", {
         refcode: refcode,
diff --git a/webapp/src/views/Admin.vue b/webapp/src/views/Admin.vue
index 1625e44cf..641906c6a 100644
--- a/webapp/src/views/Admin.vue
+++ b/webapp/src/views/Admin.vue
@@ -23,7 +23,7 @@ export default {
   },
   data() {
     return {
-      items: ["Users"],
+      items: ["Users", "Access Tokens"],
       selectedItem: "Users",
       user: null,
     };
diff --git a/webapp/src/views/EditPage.vue b/webapp/src/views/EditPage.vue
index d674fb2b5..f88c29d0b 100644
--- a/webapp/src/views/EditPage.vue
+++ b/webapp/src/views/EditPage.vue
@@ -300,8 +300,11 @@ export default {
       this.lastModified = "just now";
     },
     async getSampleData() {
+      const urlParams = new URLSearchParams(window.location.search);
+      const accessToken = urlParams.get("at");
+
       if (this.item_id == null) {
-        getItemByRefcode(this.refcode).then(() => {
+        getItemByRefcode(this.refcode, accessToken).then(() => {
           this.itemDataLoaded = true;
           this.$nextTick(() => {
             this.$store.commit("setItemSaved", { item_id: this.item_id, isSaved: true });
@@ -310,7 +313,7 @@ export default {
           this.updateBlocks();
         });
       } else {
-        getItemData(this.item_id).then(() => {
+        getItemData(this.item_id, accessToken).then(() => {
           this.itemDataLoaded = true;
           this.refcode = this.item_data.refcode;
           this.$nextTick(() => {
@@ -320,7 +323,6 @@ export default {
         });
       }
     },
-
     async updateBlocks() {
       if (this.itemDataLoaded) {
         // update each block asynchronously