[data directory](/docs/agent/options#_data_dir). Any future changes to the token that are made through the [API](/api-docs/agent#update-acl-tokens) will
be persisted to the same location, and the value in the config file will be ignored.
The ACL agent token can also be set using the [`consul acl set-agent-token`](/commands/acl/set-agent-token) CLI as shown below.
```shell-session
$ consul acl set-agent-token agent "<agent token here>"
```
## Configure Servers in Secondary Datacenters
Servers in secondary data centers must be configured to point to the primary data center
as shown in the following example. Secondary data centers also need the ACL replication token
provided to them.
### Create the replication token for ACL Management
Replication tokens are needed for ACL token replication and
to create both [configuration entries](/docs/agent/config-entries) and [auth methods](/docs/acl/auth-methods)
in connected secondary datacenters.
Replication tokens require the following permissions:
- `acl = "write"`: The permission allows you to replicate tokens.
- `operator = "write"`: This permission enables the `proxy-default` configuration entries to be replicated and enables CA certificate signing in the secondary datacenter.
- `policy = "read"` and `intentions = "read"` in the `service_prefix` field: These permissions enable `service-default` configuration entries, CA, and intention data to be replicated for all services.
feature, only ACL tokens in the default partition are replicated to other datacenters.
## WAN Join Servers
This step is needed for new federated cluster deployments in order for
servers in each federated datacenter to discover each other.
Run the following command from one of the server nodes.
```shell-session
$ consul join -token="ACL_MANAGEMENT_TOKEN" -wan [server 1, server 2, ...]
```
## Configure Clients in Secondary Datacenters
When ACLs are enabled, client agents need a special token known as the [`agent token`](/docs/security/acl/acl-system#acl-agent-token) to perform internal operations. Agent tokens need to have the right policies for node related actions, including
registering itself in the catalog, updating node level health checks, and performing [anti-entropy](/docs/architecture/anti-entropy) syncing.
### Generate Agent ACL Token
[ACL Node Identities](/docs/security/acl/acl-system#acl-node-identities) were introduced
in Consul 1.8.1 and enable easily creating agent tokens with appropriately scoped policies.
To generate the ACL token using node identity, run the following command:
```shell-session
$ consul acl token create -node-identity=<NODE_NAME>:<DATACENTER>
```
### Configure clients to use the ACL agent token
Update the client agents to include the token value from the previous step. Replace
the `ACL_AGENT_TOKEN` value below with the secret ID value from the command output.
<CodeTabs heading = "ACL Configuration in Client Agents">
```hcl
primary_datacenter = "PRIMARY_DATACENTER_NAME"
acl = {
enabled = true
default_policy = "deny"
down_policy = "deny"
tokens = {
agent = "ACL_AGENT_TOKEN"
}
}
```
```json
{
"primary_datacenter": "PRIMARY_DATACENTER_VALUE",
"acl": {
"enabled": true,
"default_policy": "deny",
"down_policy": "deny",
"tokens": {
"agent": "ACL_AGENT_TOKEN"
}
}
}
```
</CodeTabs>
Note that client agents have to be restarted for ACL related configuration changes to take effect.
## Summary
After completing the above steps, a federated Consul cluster can be used with ACLs. Refer to