Skip to main content
Vault Tokens are the primary authentication method for accessing secrets. Every request to Vault requires a valid token. Tokens can have policies attached, time limits, and usage restrictions.

Key Concepts

Authentication

Tokens authenticate requests to Vault. No token means no access.

Policies

Tokens inherit permissions from attached policies. More policies = more access.

TTL (Time To Live)

Tokens expire after their TTL. Renewable tokens can extend their lifetime.

Accessors

Public identifiers for tokens. Used to manage tokens without exposing the secret.

Token Properties

PropertyDescription
AccessorPublic identifier for the token (safe to log/store)
Display NameHuman-readable label for identification
PoliciesList of policies granting permissions
TTLTime until token expires
RenewableWhether the token can be renewed
Token TypeService (default) or batch
Num UsesMaximum number of times token can be used

Required Permissions

ActionPermission
View tokensiam:project:cicd:vault:read
Create/Renew tokensiam:project:cicd:vault:write
Revoke tokensiam:project:cicd:vault:delete

How to Create a Token

1

Select Vault Instance

Choose the target Vault instance from the dropdown.
2

Click Create Token

Click the Create Token button.
3

Configure Token Information

  • Display Name: Human-readable identifier (e.g., ci-pipeline-token)
  • Policies: Comma-separated list of policies (e.g., default, app-read)
4

Set Time & Limits

  • TTL: Token lifetime (e.g., 24h, 7d, 30d)
  • Period: For periodic tokens (renewable indefinitely)
  • Max TTL: Absolute maximum lifetime
  • Num Uses: Limit usage count (0 = unlimited)
  • Renewable: Toggle to allow renewal
5

Add Metadata (Optional)

Add JSON metadata for tracking:
{
  "created_by": "admin",
  "environment": "production",
  "purpose": "CI/CD pipeline"
}
6

Create

Click Create Token. The token is generated.
7

Copy Token Immediately

The token value is shown only once. Copy and store it securely before closing the dialog.
The token value is displayed only once at creation. If you lose it, you must create a new token. There is no way to retrieve an existing token’s value.

TTL Format Reference

FormatExampleMeaning
Hours24h24 hours
Days7d7 days
Weeks2w2 weeks
Months1M1 month
Years1y1 year
Combined1d12h1 day and 12 hours

Token Types

Service Tokens (Default)

  • Stored in Vault’s storage backend
  • Can create child tokens
  • Support all token features
  • Best for: Long-lived applications, users

Batch Tokens

  • Not stored in Vault (stateless)
  • Cannot create child tokens
  • Cannot be renewed
  • Best for: High-performance, short-lived operations

How to Renew a Token

Renewable tokens can extend their TTL before expiration.
1

Find the Token

Locate the token in the list by accessor or display name.
2

Click Renew

Click the refresh icon on the token row.
3

Confirm

Confirm the renewal. The token’s TTL is extended.
Renewal extends the TTL by the token’s original TTL duration, up to the explicit max TTL if set. Non-renewable tokens cannot be renewed.

How to Revoke a Token

Revoked tokens immediately become invalid.
1

Find the Token

Locate the token in the list.
2

Click Revoke

Click the trash icon on the token row.
3

Confirm

Confirm the revocation. The token is permanently invalidated.
Revoking a token also revokes all child tokens created by it. This action cannot be undone.

Common Token Patterns

CI/CD Pipeline Token

Display Name: ci-pipeline-prod
Policies: ci-read-secrets, deploy-prod
TTL: 1h
Renewable: Yes
Num Uses: 0 (unlimited)
Short-lived but renewable for long-running pipelines.

Application Service Token

Display Name: myapp-backend
Policies: app-secrets-read
TTL: 24h
Renewable: Yes
Period: 12h
Periodic token that renews indefinitely as long as the app is running.

One-Time Bootstrap Token

Display Name: initial-setup
Policies: bootstrap-admin
TTL: 30m
Renewable: No
Num Uses: 1
Single-use token for initial configuration.

Developer Token

Display Name: dev-john-doe
Policies: dev-read-only
TTL: 8h
Renewable: Yes
Max TTL: 7d
Daily token that can be renewed up to a week.

Metadata Best Practices

Use metadata for: 
{
  "created_by": "[email protected]",
  "team": "platform",
  "environment": "production",
  "purpose": "Database credential rotation",
  "ticket": "JIRA-1234"
}
Metadata helps with:
  • Audit trail and compliance
  • Token ownership tracking
  • Debugging and troubleshooting
  • Automated cleanup policies

Troubleshooting

  • Refresh the page or click the refresh button
  • Tokens may take a moment to propagate
  • Verify you’re viewing the correct Vault instance
  • You need write permission for Vault tokens
  • The Vault instance must be active and reachable
  • Check that policies specified exist
  • TTL may have been set too short
  • Server time may be out of sync
  • Max TTL on the auth method may limit token lifetime
  • Token may not be renewable (check the Renewable column)
  • Token may have reached its explicit max TTL
  • Batch tokens cannot be renewed
  • Token values cannot be retrieved after creation
  • Create a new token with the same configuration
  • Revoke the lost token to prevent unauthorized use
  • Check that required policies are attached
  • Verify policies grant access to the specific path
  • Token may have been revoked by another admin

FAQ

TTL is the initial lifetime. When renewed, the TTL resets. Max TTL is the absolute limit - the token cannot exist beyond this time regardless of renewals.
A token with a period set. Instead of expiring, it must be renewed within each period. As long as it’s renewed, it lives indefinitely. Useful for long-running services.
Use service tokens for most cases. Use batch tokens only for high-throughput scenarios where you need stateless tokens and don’t need renewal or child tokens.
All child tokens are automatically revoked. This is called “token revocation tree” behavior.
Check the attached policies. Each policy defines path-based permissions. Use the Policies page to review what each policy allows.
Create a new token with the same configuration, update your application to use it, then revoke the old token. There’s no in-place rotation.