2015-04-18 20:35:55 +00:00
|
|
|
---
|
|
|
|
layout: "docs"
|
|
|
|
page_title: "Auth Backend: Token"
|
|
|
|
sidebar_current: "docs-auth-token"
|
|
|
|
description: |-
|
|
|
|
The token store auth backend is used to authenticate using tokens.
|
|
|
|
---
|
|
|
|
|
|
|
|
# Auth Backend: Token
|
|
|
|
|
|
|
|
The token backend is the only auth backend that is built-in and
|
2015-04-26 03:21:59 +00:00
|
|
|
automatically available at `/auth/token` as well as with first-class
|
2015-04-18 20:35:55 +00:00
|
|
|
built-in CLI methods such as `vault token-create`. It allows users to
|
|
|
|
authenticate using a token, as well to create new tokens, revoke
|
|
|
|
secrets by token, and more.
|
|
|
|
|
|
|
|
When any other auth backend returns an identity, Vault core invokes the
|
|
|
|
token backend to create a new unique token for that identity.
|
|
|
|
|
|
|
|
The token store can also be used to bypass any other auth backend:
|
|
|
|
you can create tokens directly, as well as perform a variety of other
|
|
|
|
operations on tokens such as renewal and revocation.
|
|
|
|
|
2015-04-18 20:45:50 +00:00
|
|
|
Please see the [token concepts](/docs/concepts/tokens.html) page dedicated
|
2015-04-18 20:35:55 +00:00
|
|
|
to tokens.
|
|
|
|
|
|
|
|
## Authentication
|
|
|
|
|
|
|
|
#### Via the CLI
|
|
|
|
|
|
|
|
```
|
|
|
|
$ vault auth <token>
|
|
|
|
...
|
|
|
|
```
|
|
|
|
|
|
|
|
#### Via the API
|
|
|
|
|
2015-09-03 14:36:59 +00:00
|
|
|
The token is set directly as a header for the HTTP API. The name
|
|
|
|
of the header should be "X-Vault-Token" and the value should be the token.
|
2015-04-18 20:35:55 +00:00
|
|
|
|
|
|
|
## API
|
|
|
|
|
2015-11-03 20:15:33 +00:00
|
|
|
### /auth/token/create[-orphan]
|
2015-04-27 04:08:11 +00:00
|
|
|
#### POST
|
2015-04-26 03:21:59 +00:00
|
|
|
|
2015-04-27 04:08:11 +00:00
|
|
|
<dl class="api">
|
2015-04-26 03:21:59 +00:00
|
|
|
<dt>Description</dt>
|
|
|
|
<dd>
|
|
|
|
Creates a new token. Certain options are only available to
|
2015-11-03 20:15:33 +00:00
|
|
|
when called by a root token. If used via the
|
|
|
|
`/auth/token/create-orphan` endpoint, a root token is not
|
|
|
|
required to create an orphan token (otherwise set with the
|
|
|
|
`no_parent` option).
|
2015-04-26 03:21:59 +00:00
|
|
|
</dd>
|
|
|
|
|
|
|
|
<dt>Method</dt>
|
|
|
|
<dd>POST</dd>
|
|
|
|
|
|
|
|
<dt>URL</dt>
|
2015-11-03 20:15:33 +00:00
|
|
|
<dd>`/auth/token/create[-orphan]`</dd>
|
2015-04-26 03:21:59 +00:00
|
|
|
|
|
|
|
<dt>Parameters</dt>
|
|
|
|
<dd>
|
|
|
|
<ul>
|
|
|
|
<li>
|
|
|
|
<span class="param">id</span>
|
|
|
|
<span class="param-flags">optional</span>
|
|
|
|
The ID of the client token. Can only be specified by a root token.
|
|
|
|
Otherwise, the token ID is a randomly generated UUID.
|
|
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<span class="param">policies</span>
|
|
|
|
<span class="param-flags">optional</span>
|
|
|
|
A list of policies for the token. This must be a subset of the
|
|
|
|
policies belonging to the token making the request, unless root.
|
|
|
|
If not specified, defaults to all the policies of the calling token.
|
|
|
|
</li>
|
|
|
|
<li>
|
2015-07-13 09:10:44 +00:00
|
|
|
<span class="param">meta</span>
|
2015-04-26 03:21:59 +00:00
|
|
|
<span class="param-flags">optional</span>
|
|
|
|
A map of string to string valued metadata. This is passed through
|
|
|
|
to the audit backends.
|
|
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<span class="param">no_parent</span>
|
|
|
|
<span class="param-flags">optional</span>
|
|
|
|
If true and set by a root caller, the token will not have the
|
|
|
|
parent token of the caller. This creates a token with no parent.
|
|
|
|
</li>
|
2015-11-09 22:30:50 +00:00
|
|
|
<li>
|
|
|
|
<span class="param">no_default_profile</span>
|
|
|
|
<span class="param-flags">optional</span>
|
|
|
|
If true the `default` profile will not be a part of this token's
|
|
|
|
policy set.
|
|
|
|
</li>
|
2015-04-26 03:21:59 +00:00
|
|
|
<li>
|
|
|
|
<span class="param">lease</span>
|
|
|
|
<span class="param-flags">optional</span>
|
2015-09-25 13:46:20 +00:00
|
|
|
DEPRECATED; use "ttl" instead.
|
|
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<span class="param">ttl</span>
|
|
|
|
<span class="param-flags">optional</span>
|
|
|
|
The TTL period of the token, provided as "1h", where hour is
|
2015-07-30 13:42:49 +00:00
|
|
|
the largest suffix. If not provided, the token is valid for the
|
2015-09-25 13:46:20 +00:00
|
|
|
[default lease TTL](/docs/config/index.html), or
|
2015-07-30 13:42:49 +00:00
|
|
|
indefinitely if the root policy is used.
|
2015-04-26 03:21:59 +00:00
|
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<span class="param">display_name</span>
|
|
|
|
<span class="param-flags">optional</span>
|
|
|
|
The display name of the token. Defaults to "token".
|
|
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<span class="param">num_uses</span>
|
|
|
|
<span class="param-flags">optional</span>
|
|
|
|
The maximum uses for the given token. This can be used to create
|
|
|
|
a one-time-token or limited use token. Defaults to 0, which has
|
|
|
|
no limit to number of uses.
|
|
|
|
</li>
|
|
|
|
</ul>
|
|
|
|
</dd>
|
|
|
|
|
|
|
|
<dt>Returns</dt>
|
|
|
|
<dd>
|
2015-04-27 04:08:11 +00:00
|
|
|
|
2015-04-26 03:21:59 +00:00
|
|
|
```javascript
|
|
|
|
{
|
|
|
|
"auth": {
|
2015-10-12 16:10:22 +00:00
|
|
|
"client_token": "ABCD",
|
|
|
|
"policies": ["web", "stage"],
|
|
|
|
"metadata": {"user": "armon"},
|
|
|
|
"lease_duration": 3600,
|
|
|
|
"renewable": true,
|
2015-04-26 03:21:59 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
```
|
2015-04-27 04:08:11 +00:00
|
|
|
|
2015-04-26 03:21:59 +00:00
|
|
|
</dd>
|
|
|
|
</dl>
|
|
|
|
|
2015-04-27 04:08:11 +00:00
|
|
|
### /auth/token/lookup-self
|
|
|
|
#### GET
|
2015-04-26 03:21:59 +00:00
|
|
|
|
2015-04-27 04:08:11 +00:00
|
|
|
<dl class="api">
|
2015-04-26 03:21:59 +00:00
|
|
|
<dt>Description</dt>
|
|
|
|
<dd>
|
|
|
|
Returns information about the current client token.
|
|
|
|
</dd>
|
|
|
|
|
|
|
|
<dt>Method</dt>
|
|
|
|
<dd>GET</dd>
|
|
|
|
|
|
|
|
<dt>Parameters</dt>
|
|
|
|
<dd>
|
|
|
|
None
|
|
|
|
</dd>
|
|
|
|
|
|
|
|
<dt>Returns</dt>
|
|
|
|
<dd>
|
|
|
|
|
|
|
|
```javascript
|
|
|
|
{
|
|
|
|
"data": {
|
|
|
|
"id": "ClientToken",
|
|
|
|
"policies": ["web", "stage"],
|
|
|
|
"path": "auth/github/login",
|
|
|
|
"meta": {"user": "armon", "organization": "hashicorp"},
|
|
|
|
"display_name": "github-armon",
|
|
|
|
"num_uses": 0,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
```
|
|
|
|
</dd>
|
|
|
|
</dl>
|
|
|
|
|
2015-04-27 04:08:11 +00:00
|
|
|
### /auth/token/lookup/
|
|
|
|
#### GET
|
2015-04-26 03:21:59 +00:00
|
|
|
|
2015-04-27 04:08:11 +00:00
|
|
|
<dl class="api">
|
2015-04-26 03:21:59 +00:00
|
|
|
<dt>Description</dt>
|
|
|
|
<dd>
|
2016-01-26 07:26:29 +00:00
|
|
|
Returns information about the client token provided in the request path.
|
2015-04-26 03:21:59 +00:00
|
|
|
</dd>
|
|
|
|
|
|
|
|
<dt>Method</dt>
|
|
|
|
<dd>GET</dd>
|
|
|
|
|
|
|
|
<dt>URL</dt>
|
|
|
|
<dd>`/auth/token/lookup/<token>`</dd>
|
|
|
|
|
|
|
|
<dt>Parameters</dt>
|
|
|
|
<dd>
|
|
|
|
None
|
|
|
|
</dd>
|
|
|
|
|
|
|
|
<dt>Returns</dt>
|
|
|
|
<dd>
|
|
|
|
|
|
|
|
```javascript
|
|
|
|
{
|
|
|
|
"data": {
|
|
|
|
"id": "ClientToken",
|
|
|
|
"policies": ["web", "stage"],
|
|
|
|
"path": "auth/github/login",
|
|
|
|
"meta": {"user": "armon", "organization": "hashicorp"},
|
|
|
|
"display_name": "github-armon",
|
|
|
|
"num_uses": 0,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
```
|
|
|
|
</dd>
|
|
|
|
</dl>
|
|
|
|
|
|
|
|
|
2015-04-27 04:08:11 +00:00
|
|
|
### /auth/token/revoke/
|
|
|
|
#### POST
|
2015-04-26 03:21:59 +00:00
|
|
|
|
2015-04-27 04:08:11 +00:00
|
|
|
<dl class="api">
|
2015-04-26 03:21:59 +00:00
|
|
|
<dt>Description</dt>
|
|
|
|
<dd>
|
|
|
|
Revokes a token and all child tokens. When the token is revoked,
|
|
|
|
all secrets generated with it are also revoked.
|
|
|
|
</dd>
|
|
|
|
|
|
|
|
<dt>Method</dt>
|
|
|
|
<dd>POST</dd>
|
|
|
|
|
|
|
|
<dt>URL</dt>
|
|
|
|
<dd>`/auth/token/revoke/<token>`</dd>
|
|
|
|
|
|
|
|
<dt>Parameters</dt>
|
|
|
|
<dd>
|
|
|
|
None
|
|
|
|
</dd>
|
|
|
|
|
|
|
|
<dt>Returns</dt>
|
|
|
|
<dd>`204` response code.
|
2015-09-17 17:22:30 +00:00
|
|
|
</dd>
|
|
|
|
</dl>
|
|
|
|
|
|
|
|
### /auth/token/revoke-self/
|
|
|
|
#### POST
|
|
|
|
|
|
|
|
<dl class="api">
|
|
|
|
<dt>Description</dt>
|
|
|
|
<dd>
|
|
|
|
Revokes the token used to call it and all child tokens.
|
|
|
|
When the token is revoked, all secrets generated with
|
|
|
|
it are also revoked.
|
|
|
|
</dd>
|
|
|
|
|
|
|
|
<dt>Method</dt>
|
|
|
|
<dd>POST</dd>
|
|
|
|
|
|
|
|
<dt>URL</dt>
|
|
|
|
<dd>`/auth/token/revoke-self`</dd>
|
|
|
|
|
|
|
|
<dt>Parameters</dt>
|
|
|
|
<dd>
|
|
|
|
None
|
|
|
|
</dd>
|
|
|
|
|
|
|
|
<dt>Returns</dt>
|
|
|
|
<dd>`204` response code.
|
2015-04-26 03:21:59 +00:00
|
|
|
</dd>
|
|
|
|
</dl>
|
|
|
|
|
2015-04-27 04:08:11 +00:00
|
|
|
### /auth/token/revoke-orphan/
|
|
|
|
#### POST
|
2015-04-26 03:21:59 +00:00
|
|
|
|
2015-04-27 04:08:11 +00:00
|
|
|
<dl class="api">
|
2015-04-26 03:21:59 +00:00
|
|
|
<dt>Description</dt>
|
|
|
|
<dd>
|
|
|
|
Revokes a token but not its child tokens. When the token is revoked,
|
|
|
|
all secrets generated with it are also revoked. All child tokens
|
2015-04-28 18:32:04 +00:00
|
|
|
are orphaned, but can be revoked sub-sequently using `/auth/token/revoke/`.
|
2015-04-26 03:21:59 +00:00
|
|
|
</dd>
|
|
|
|
|
|
|
|
<dt>Method</dt>
|
|
|
|
<dd>POST</dd>
|
|
|
|
|
|
|
|
<dt>URL</dt>
|
|
|
|
<dd>`/auth/token/revoke-orphan/<token>`</dd>
|
|
|
|
|
|
|
|
<dt>Parameters</dt>
|
|
|
|
<dd>
|
|
|
|
None
|
|
|
|
</dd>
|
|
|
|
|
|
|
|
<dt>Returns</dt>
|
|
|
|
<dd>`204` response code.
|
|
|
|
</dd>
|
|
|
|
</dl>
|
|
|
|
|
2015-04-27 04:08:11 +00:00
|
|
|
### /auth/token/revoke-prefix/
|
|
|
|
#### POST
|
2015-04-26 03:21:59 +00:00
|
|
|
|
2015-04-27 04:08:11 +00:00
|
|
|
<dl class="api">
|
2015-04-26 03:21:59 +00:00
|
|
|
<dt>Description</dt>
|
|
|
|
<dd>
|
|
|
|
Revokes all tokens generated at a given prefix, along with child tokens,
|
|
|
|
and all secrets generated using those tokens. Uses include revoking all
|
|
|
|
tokens generated by a credential backend during a suspected compromise.
|
|
|
|
</dd>
|
|
|
|
|
|
|
|
<dt>Method</dt>
|
|
|
|
<dd>POST</dd>
|
|
|
|
|
|
|
|
<dt>URL</dt>
|
|
|
|
<dd>`/auth/token/revoke-prefix/<prefix>`</dd>
|
|
|
|
|
|
|
|
<dt>Parameters</dt>
|
|
|
|
<dd>
|
|
|
|
None
|
|
|
|
</dd>
|
|
|
|
|
|
|
|
<dt>Returns</dt>
|
|
|
|
<dd>`204` response code.
|
|
|
|
</dd>
|
|
|
|
</dl>
|
|
|
|
|
2015-10-21 14:53:20 +00:00
|
|
|
### /auth/token/renew-self
|
|
|
|
#### POST
|
|
|
|
|
|
|
|
<dl class="api">
|
|
|
|
<dt>Description</dt>
|
|
|
|
<dd>
|
|
|
|
Renews a lease associated with the callign token. This is used to prevent
|
|
|
|
the expiration of a token, and the automatic revocation of it. Token
|
|
|
|
renewal is possible only if there is a lease associated with it.
|
|
|
|
</dd>
|
|
|
|
|
|
|
|
<dt>Method</dt>
|
|
|
|
<dd>POST</dd>
|
|
|
|
|
|
|
|
<dt>URL</dt>
|
|
|
|
<dd>`/auth/token/renew-self`</dd>
|
|
|
|
|
|
|
|
<dt>Parameters</dt>
|
|
|
|
<dd>
|
|
|
|
<ul>
|
|
|
|
<li>
|
|
|
|
<span class="param">increment</span>
|
|
|
|
<span class="param-flags">optional</span>
|
|
|
|
An optional requested lease increment can be provided. This
|
|
|
|
increment may be ignored.
|
|
|
|
</li>
|
|
|
|
</ul>
|
|
|
|
</dd>
|
|
|
|
|
|
|
|
<dt>Returns</dt>
|
|
|
|
<dd>
|
|
|
|
|
|
|
|
```javascript
|
|
|
|
{
|
|
|
|
"auth": {
|
|
|
|
"client_token": "ABCD",
|
|
|
|
"policies": ["web", "stage"],
|
|
|
|
"metadata": {"user": "armon"},
|
|
|
|
"lease_duration": 3600,
|
|
|
|
"renewable": true,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
```
|
|
|
|
</dd>
|
|
|
|
</dl>
|
|
|
|
|
2015-04-27 04:08:11 +00:00
|
|
|
### /auth/token/renew/
|
|
|
|
#### POST
|
2015-04-26 03:21:59 +00:00
|
|
|
|
2015-04-27 04:08:11 +00:00
|
|
|
<dl class="api">
|
2015-04-26 03:21:59 +00:00
|
|
|
<dt>Description</dt>
|
|
|
|
<dd>
|
2015-09-12 01:08:32 +00:00
|
|
|
Renews a lease associated with a token. This is used to prevent the
|
|
|
|
expiration of a token, and the automatic revocation of it. Token
|
|
|
|
renewal is possible only if there is a lease associated with it.
|
2015-04-26 03:21:59 +00:00
|
|
|
</dd>
|
|
|
|
|
|
|
|
<dt>Method</dt>
|
|
|
|
<dd>POST</dd>
|
|
|
|
|
|
|
|
<dt>URL</dt>
|
|
|
|
<dd>`/auth/token/renew/<token>`</dd>
|
|
|
|
|
|
|
|
<dt>Parameters</dt>
|
|
|
|
<dd>
|
|
|
|
<ul>
|
|
|
|
<li>
|
|
|
|
<span class="param">increment</span>
|
|
|
|
<span class="param-flags">optional</span>
|
|
|
|
An optional requested lease increment can be provided. This
|
|
|
|
increment may be ignored.
|
|
|
|
</li>
|
|
|
|
</ul>
|
|
|
|
</dd>
|
|
|
|
|
|
|
|
<dt>Returns</dt>
|
|
|
|
<dd>
|
2015-04-27 02:07:25 +00:00
|
|
|
|
|
|
|
```javascript
|
2015-04-26 03:21:59 +00:00
|
|
|
{
|
|
|
|
"auth": {
|
2015-10-12 16:10:22 +00:00
|
|
|
"client_token": "ABCD",
|
|
|
|
"policies": ["web", "stage"],
|
|
|
|
"metadata": {"user": "armon"},
|
|
|
|
"lease_duration": 3600,
|
|
|
|
"renewable": true,
|
2015-04-26 03:21:59 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
```
|
|
|
|
</dd>
|
|
|
|
</dl>
|
2015-10-21 14:53:20 +00:00
|
|
|
|