Assess Vault Tokens Section Overview

Token Prefix Changes in Vault 1.10
Service Tokens
Batch and Recovery Tokens
Summary
Links and References

In this article, we explain the token prefix changes introduced in Vault 1.10 (released March 23, 2022). While the prefix format has been updated, token functionality and policy enforcement remain the same. Note that examples recorded before Vault 1.10 may still show the older single-letter prefixes.

The image describes updates to tokens in Vault 1.10, highlighting major changes such as a new prefix for service tokens and an increase in token length.

Existing tokens created before the upgrade keep their original prefixes (S., B., R.). Only tokens generated after upgrading to Vault 1.10 receive the new three-letter prefixes.

Token Prefix Changes in Vault 1.10

Vault 1.10 replaces the previous one-letter prefixes with more descriptive three-letter identifiers. The new mapping is:

Token Type	Old Prefix	New Prefix	Minimum Length
Service Token	`S.`	`hvs.`	95 bytes
Batch Token	`B.`	`hvb.`	unchanged
Recovery Token	`R.`	`hvr.`	unchanged

Service Tokens

Service tokens are the most common token type. In Vault 1.10, they now start with hvs. followed by at least 95 random bytes:

hvs.QRx4pz2RIka7RhhrjiVRBNjq...   # ≥95 bytes after “hvs.”

hvs. indicates a HashiCorp Vault Service token.
The random string that follows provides the required entropy.

Service tokens with insufficient length will be rejected. Always verify token length when automating creation.

Batch and Recovery Tokens

The image shows updates to token prefixes in Vault 1.10, with batch tokens now using the prefix "hvb.xxxxx" and recovery tokens using "hvr.xxxxx".

Batch and recovery tokens have also switched to three-letter prefixes:

hvb.AAAAQLQLP      # Batch token (was B.<string>)
hvr.ZZZZRTYUI      # Recovery token (was R.<string>)

hvb. marks a Batch token used for one-time API operations.
hvr. marks a Recovery token used for root recovery workflows.

Summary

When working with Vault 1.10 or later, newly generated tokens will use:

hvs. → Service token
hvb. → Batch token
hvr. → Recovery token

All token operations—vault token create, vault token revoke, or policy checks—remain unchanged under the new prefix scheme.

Links and References

Watch Video

Exam Tips for Objective 2

Announcement Token Update for Vault 1

⌘I

Introduction

Introduction to Vault

Learning the Vault Architecture

Installing Vault

Compare Authentication Methods

Create Vault Policies

Assess Vault Tokens

Compare and Configure Secrets Engines

Vault Agent

Vault Replication

Assess Vault Tokens Section Overview

Token Prefix Changes in Vault 1.10

Service Tokens

Batch and Recovery Tokens

Summary

Links and References

Watch Video

Introduction

Introduction to Vault

Learning the Vault Architecture

Installing Vault

Compare Authentication Methods

Create Vault Policies

Assess Vault Tokens

Compare and Configure Secrets Engines

Vault Agent

Vault Replication

​Token Prefix Changes in Vault 1.10

​Service Tokens

​Batch and Recovery Tokens

​Summary

​Links and References

Watch Video

Token Prefix Changes in Vault 1.10

Service Tokens

Batch and Recovery Tokens

Summary

Links and References