The default authentication method in Vault is Tokens.  Anytime you authenticate, regardless of the method, Vault is creating a token, storing it somewhere, then using it for future interactions.  This article will discuss the process for managing your vault tokens using the vault CLI

Authentication using a token

When you first install Vault, you will be given a default root token.  You can use this token to authenticate using the vault auth command:

vault auth <token>

Example: vault auth 9uhwwe8fhq2eo8hf8efh9fquhe

Now that you have authenticated, you have access to the rest of the vault commands:

Listing Tokens

You cannot list tokens in Vault.  This is for security reasons as if you can see someone’s token, you can use their token for authentication.  That said, when you authenticate in Vault, your token is stored as a user/system variable:  VAULT_TOKEN.  Depending on your OS, you can show your current token by running::




While you cannot list the tokens, you can get a list of token accessors with the following command:

vault list auth/token/accessors

The above command will list the tokens accessors as well as their display names.  This is useful if you are trying to revoke tokens.

Creating Tokens

You can create additional tokens for authentication using the vault token-create command.  Depending on the arguments you specify, you will get different results.  The default TTL of a token is 24 hours.  Meaning the token will automatically be destroyed after 24 hours.

Create token

To create a token with all of the default settings, and with the same privileges as the currently logged in user, run:

vault token-create

**Warning, if you authenticated with a root token, this will create another root token.  Root tokens don’t expire the same as regular tokens

Specify Token Policy

If you want the token to have a specific policy applied, you can specify a policy with the -policy argument:

vault token-create -policy=mypolicy


You can specify a non-default TTL with the -ttl argument.  The following command will create a vault token with a TTL of 1 hour:

vault token-create -policy=mypolicy -ttl="1h"

The above command will set the TTL to 1 hour. That means the token will expire after 1 hour.  However, the token can be renewed, which will reset the TTL

Renew Token

When your token is coming up for renewal, you don’t have to get a new one. You can simply renew your token lease, as long as it has not yet reached the max TTL.  Renewing a token is done using the token-renew command:

vault token-renew <token>

Set Max TTL

Set the maximum TTL using the -explicit-max-ttl command:

vault token-create -policy=mypolicy -explicit-max-ttl="1h"

When you create a token, you might have a TTL of 60 seconds, but the user or system can renew that lease up until it reaches the max TTL.  Setting a max TTL ensures that tokens are short-lived, and harder to compromise.

Set Display Name

Set the display name of a token using the -display-name argument:

vault token-create -policy=mypolicy -ttl="1h" -display-name=“My Token"

Create a token and set the current session to use that token

The following commands have been tested on OSX. It will create a vault token with a TTL of 1 hour. Then set your current session to use that token.  Before this command will work, you have to first

run brew install  jq

Create token and set current session to use that token on OSX

VAULT_TOKEN=$(vault token-create -ttl="1h" -format=json | jq -r '.auth' | jq -r '.client_token')

Destroying Tokens

When you are finished with tokens, it is good to destroy them so they cannot be used by unauthorized users and systems.  To destroy a token, run:

vault token-revoke <TokenID>

Additional resources

The official Hashicorp resources on tokens can be found here:

I also found this blog about vault useful: