HashiCorp Certified: Vault Associate Certification
Assess Vault Tokens
Managing Tokens using the API
In this guide, you’ll learn how to authenticate to Vault using an auth method, extract the client token from the API response, store it securely, and use it for subsequent requests. All examples use jq to parse JSON.
1. Authenticate and Retrieve a Client Token
When you log in (with any method other than token auth), Vault returns a JSON payload containing auth.client_token. Use curl to send your credentials:
curl --request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/auth/userpass/login/bryan | jq
Sample response:
{
"request_id": "Ob4181fe-0dec-2261-5231-bb3f033387e5",
"lease_id": "",
"renewable": false,
"auth": {
"client_token": "s.WN54zL4c4wQJet9KS9KItkHW",
"accessor": "zsapl3bBo0GzB5xVPZFEu3Th",
"policies": ["default", "training"],
"token_policies": ["default", "training"],
"metadata": { "username": "bryan" },
"lease_duration": 2764800,
"renewable": true,
"entity_id": "88669d54-b405-c27a-d468-410a1185eb0d",
"token_type": "service",
"orphan": true
}
}
The value of auth.client_token is your Vault token for future API calls.
2. Store the Token
You have two common options for storing the token.
| Method | Command Example | Pros & Cons |
|---|---|---|
| File | `curl … | jq -r ".auth.client_token" > token.txt` |
| Environment | `export VAULT_TOKEN=$(curl … | jq -r ".auth.client_token")` |
Warning
Storing tokens in plain text files can expose secrets if file permissions aren’t locked down. Always enforce least-privilege access.
2.1 Save to a File
curl --request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/auth/userpass/login/bryan \
| jq -r ".auth.client_token" > token.txt
# Verify
cat token.txt
# s.dhtIk8VsE3Mj61PuGP3ZfFrg
2.2 Save to an Environment Variable
OUTPUT=$(curl --request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/auth/userpass/login/bryan)
export VAULT_TOKEN=$(echo "$OUTPUT" | jq -r '.auth.client_token')
echo "$VAULT_TOKEN"
# s.dhtIk8VsE3Mj61PuGP3ZfFrg
3. Use the Token in API Requests
Vault supports two header styles for passing the token. Choose one:
| Header Style | Example |
|---|---|
| X-Vault-Token | -H "X-Vault-Token: $VAULT_TOKEN" |
| Authorization | -H "Authorization: Bearer $VAULT_TOKEN" |
The most common practice is to use X-Vault-Token.
3.1 Write a Secret
curl --header "X-Vault-Token: $VAULT_TOKEN" \
--request POST \
--data '{ "apikey": "3230sc$832d" }' \
https://vault.example.com:8200/v1/secret/apikey/splunk
3.2 Read a Secret
curl --header "X-Vault-Token: $VAULT_TOKEN" \
--request GET \
https://vault.example.com:8200/v1/secret/data/apikey/splunk
That’s it! Authenticate, extract auth.client_token, store it securely, and include it in the header for all Vault API calls.
Links and References
Watch Video
Watch video content