Perform a CLI request using a Token

When interacting with HashiCorp Consul via the CLI, you must authenticate requests using an ACL token. This guide covers four primary ways to supply your token:

Environment variables persist across all Consul commands in your current shell, while CLI flags apply only to the specific command where they’re used.

1. Export an Environment Variable

Supply the ACL token once per session. All subsequent Consul commands will automatically pick it up:

export CONSUL_HTTP_TOKEN=ec15675e-2999-d789-832e-8c4794daa8d7
consul members   # Uses token from $CONSUL_HTTP_TOKEN

2. Export a Token-File Environment Variable

If you prefer keeping tokens out of your shell history, you can point to a file that contains the token:

export CONSUL_HTTP_TOKEN_FILE=/etc/consul/token.txt
consul members   # Reads the token from /etc/consul/token.txt

Validate that the file has restrictive permissions (chmod 600) to protect sensitive data.

3. Use the --token Flag

For one-off commands, specify the token inline. This overrides any environment variable settings:

consul members --token ec15675e-2999-d789-832e-8c4794daa8d7

4. Use the --token-file Flag

Combine the security of a file with the precision of a per-command setting:

consul members --token-file /etc/consul/token.txt

Summary

When starting a new shell session, remember to re-export any environment variables. In exam or production scenarios, you may be asked to demonstrate any of these four ACL token injection techniques.

Links and References

• Consul ACL Concepts
• Consul CLI Reference
• Secure Shell Best Practices