--- layout: "docs" page_title: "Commands: ACL Token Create" sidebar_current: "docs-commands-acl-token-create" --- # Consul ACL Token Create Command: `consul acl token create` This command creates new tokens. When creating a new token, policies may be linked using either the `-policy-id` or the `-policy-name` options. When specifying policies by IDs you may use a unique prefix of the UUID as a shortcut for specifying the entire UUID. ## Usage Usage: `consul acl token create [options] [args]` #### API Options <%= partial "docs/commands/http_api_options_client" %> <%= partial "docs/commands/http_api_options_server" %> #### Command Options * `-accessor=` - Create the token with this Accessor ID. It must be a UUID. If not specified one will be auto-generated * `-description=` - A description of the token. * `-expires-ttl=` - Duration of time this token should be valid for. * `-local` - Create this as a datacenter local token. * `-meta` - Indicates that token metadata such as the content hash and raft indices should be shown for each entry. * `-policy-id=` - ID of a policy to use for this token. May be specified multiple times. * `-policy-name=` - Name of a policy to use for this token. May be specified multiple times. * `-role-id=` - ID of a role to use for this token. May be specified multiple times. * `-role-name=` - Name of a role to use for this token. May be specified multiple times. * `-service-identity=` - Name of a service identity to use for this token. May be specified multiple times. Format is the `SERVICENAME` or `SERVICENAME:DATACENTER1,DATACENTER2,...` * `-secret=` - Create the token with this Secret ID. It must be a UUID. If not specified one will be auto-generated. **Note**: The SecretID is used to authorize operations against Consul and should be generated from an appropriate cryptographic source. ## Examples Create a new token: ```sh $ consul acl token create -description "Read Nodes and Services" -policy-id 06acc965 AccessorID: 986193b5-e2b5-eb26-6264-b524ea60cc6d SecretID: ec15675e-2999-d789-832e-8c4794daa8d7 Description: Read Nodes and Services Local: false Create Time: 2018-10-22 15:33:39.01789 -0400 EDT Policies: 06acc965-df4b-5a99-58cb-3250930c6324 - node-services-read ``` Create a new local token: ```sh $ consul acl token create -description "Read Nodes and Services" -policy-id 06acc965 -local AccessorID: 4fdf0ec8-d251-3865-079c-7247c974fc50 SecretID: 02143514-abf2-6c23-0aa1-ec2107e68f6b Description: Read Nodes and Services Local: true Create Time: 2018-10-22 15:34:19.330265 -0400 EDT Policies: 06acc965-df4b-5a99-58cb-3250930c6324 - node-services-read ``` Create a new token and link with policies by name: ```sh $ consul acl token create -description "Super User" -policy-name global-management AccessorID: 59f86a9b-d3b6-166c-32a0-be4ab3f94caa SecretID: ada7f751-f654-8872-7f93-498e799158b6 Description: Super User Local: false Create Time: 2018-10-22 15:35:28.787003 -0400 EDT Policies: 00000000-0000-0000-0000-000000000001 - global-management ``` Create a new token with one service identity that expires in 15 minutes: ```sh $ consul acl token create -description 'crawler token' -service-identity 'crawler' -expires-ttl '15m' AccessorID: 0c083aca-6c15-f0cc-c4d9-30578db54cd9 SecretID: 930dafb6-5c08-040b-23fb-a368a95256f9 Description: crawler token Local: false Create Time: 2019-04-25 16:45:49.337687334 -0500 CDT Expiration Time: 2019-04-25 17:00:49.337687334 -0500 CDT Service Identities: crawler (Datacenters: all) ```