Documentation Index Fetch the complete documentation index at: https://notes.kodekloud.com/llms.txt
Use this file to discover all available pages before exploring further.
Vault tokens are the primary authentication mechanism for interacting with HashiCorp Vault. Using the Vault CLI, you can create, inspect, renew, revoke, and check capabilities of tokens to tailor access control for your applications and users.
Table of Contents
Creating a Token Looking Up a Token Renewing a Token Revoking a Token Checking Token Capabilities References
1. Creating a Token Use the vault token create command to generate a new token with a specified TTL (time-to-live) and attached policies.
vault token create \ -ttl=5m \ -policy=training
Example output:
Key Value --- ----- token s.12VNpg4OA9tTdCd4V60DuDRK token_accessor lMIaz4Tn1t57wKXdsfNv7vlm token_duration 5m token_renewable true policies ["default" "training"]
Property Description token Authentication token string token_accessor String used to renew or revoke without exposing the token token_duration Initial TTL before expiration token_renewable Indicates if the token can be renewed policies List of Vault policies attached to the token
You can further customize a token with -display_name, multiple policies, and an explicit maximum TTL.
vault token create \ -display_name=jenkins \ -policy=training,certs \ -ttl=24h \ -explicit-max-ttl=72h
-display_name: Human-friendly identifier-policy: Comma-separated Vault policies-ttl: Initial lifetime (e.g., 24h)-explicit-max-ttl: Maximum lifetime across renewals
2. Looking Up a Token Inspect metadata for any token by running:
vault token lookup < token-or-accesso r >
Example:
vault token lookup s.12VNpg4OA9tTdCd4V60DuDRK
Key Value --- ----- accessor lMIaz4Tn1t57wKXdsfNv7vlm creation_time 1630613718 creation_ttl 5m display_name jenkins expire_time 2021-09-02T16:23:02Z explicit_max_ttl 72h id s.12VNpg4OA9tTd4V60DuDRK issue_time 2021-09-02T16:15:18Z last_renewal 2021-09-02T16:18:02Z num_uses 0 orphan false path auth/token/create policies [default training certs] renewable true ttl 3m12s type service
If you omit the identifier, Vault returns details for the token in your $VAULT_TOKEN:
3. Renewing a Token Extend a token’s TTL using vault token renew. You can renew by token ID or accessor:
# Renew by token ID vault token renew s.12VNpg4OA9tTdCd4V60DuDRK # Renew by accessor vault token renew -accessor lMIaz4Tn1t57wKXdsfNv7vlm
Renewal output confirms the new TTL and policies:
Key Value --- ----- token s.12VNpg4OA9tTdCd4V60DuDRK token_duration 5m renewable true policies ["default" "training"]
4. Revoking a Token To immediately invalidate a token, use:
vault token revoke < token-or-accesso r >
Example:
vault token revoke s.12VNpg4OA9tTdCd4V60DuDRK
Revoking a token is irreversible. Any sessions or processes using that token will lose access immediately.
5. Checking Token Capabilities Determine which operations a token can perform on a specific path:
vault token capabilities < toke n > < pat h >
Example:
vault token capabilities s.dhtIk8VsE3Mj61PuGP3ZfFrg kv/data/apps/webapp
Output:
create, list, read, sudo, update
This helps you audit and verify permissions for service accounts or automation tools.
6. References 
