software

Hashicorp Vault: Token Management via CLI and API

Published: (December 11, 2025 at 01:53 AM EST)
3 min read
Source: Dev.to

Source: Dev.to

Introduction

When interacting with HashiCorp Vault, tokens are the means for authentication and authorization. Provided by different engines and associated with policies and roles, they give access to path‑governed functionality of Vault.

This article details all CLI and API options for token management and provides several hands‑on command examples to create tokens with specific properties. The background material stems from the official HashiCorp Vault documentation about the token CLI commands and the Token auth method (API).

Token Lifecycle

  1. Creation – Tokens are created via an authentication method, by issuing a vault write command to a defined secrets store, or via the command line. Static information and metadata are stored for the token.
  2. Update – The only updatable value on a token is its expiration date. If the token is renewable, still valid, and has not surpassed an explicitly defined max-ttl, it can be renewed. The new expiration is the current time plus its defined TTL.
  3. Expiring / Revoking – All tokens, except the root token, expire once their TTL is reached or they are revoked. Their associated data is deleted, and any lease tied to the token is also removed.

Vault Token Command Group

The vault token command group implements interactions aligned with the token lifecycle:

CommandDescription
createCreate a new token in the context of the current token (implicitly stored after a successful vault login or set via VAULT_TOKEN).
capabilitiesPrint the token capabilities for a specific path (policy lookup).
lookupShow all information about a token or a token accessor.
renewRenew a token that has not expired and has not exceeded its usage limits.
revokeImmediately deauthorize the token, stopping all further usage. Child tokens are revoked as well.

Note: Token values are 92 characters long but are abbreviated to 8 characters in the examples below.

vault token create

Instantiates a new managed token in the context of the current token. By default, a child token is generated with the same policies as its parent. Policies can be restricted but not extended; the parent must have sufficient rights. An explicit TTL can be defined to create a renewable token; otherwise, it will be non‑renewable. In both cases, max-ttl limits the upper validity timeframe.

Available Flags

Type

  • -type – Create either a service or batch token.

Capabilities

  • -orphan – Removes the relationship to the token used for creation. The resulting token is independent and can become a parent for other tokens.
  • -renewable – Tokens are renewable by default; use this flag to disable renewal.

Access Control

  • -policy – Attach the given policy to the token. Use the flag multiple times for multiple policies.
  • -role – Assign a role (authentication‑specific data structure) to the token, inheriting all properties defined in the role.

Validity

  • -explicit-max-ttl – Set an absolute, non‑extensible duration for the token.
  • -period – Duration for which the token’s TTL is extended when renewed (periodic token).
  • -ttl – Initial TTL value. If omitted, the engine or Vault’s base configuration TTL is used.
  • -use-limit – Absolute number of times a token can be used for an action.

Identification

  • -id – Provide a custom token ID (default is a random 92‑character base62 string).
  • -display-name – Human‑readable metadata.
  • -entity-alias – Link the token to a defined alias (must be allowed in allowed_entity_aliases).
  • -metadata – Additional key‑value pairs for identification (repeatable).

Example Creations

Multi‑Policy Token

vault token create -policy=secret-management -policy=kv2-management

Log output

KeyValue
accessor32OK6kKt2rk7mw4jQ0ZbXT3E
creation_time1753526225
creation_ttl0s
display_nameroot
entity_idn/a
expire_time
explicit_max_ttl0s
idhvs.HTMdJOhL
meta
num_uses0
orphantrue
pathauth/token/root
policies[root]
ttl0s
typeservice

Periodic Token with Limited Renewability

vault token create -policy=secret-management -period=24h -use-limit=10

Log output

KeyValue
accessorinIuUf1uTkYjxHBxOOVg442Q
creation_time1755334894
creation_ttl24h
display_nametoken
entity_idn/a
expire_time2025-08-17T11:01:34.540229+02:00
explicit_max_ttl0s
idhvs.CAESIOam
issue_time2025-08-16T11:01:34.540235+02:00
meta
num_uses10
orphanfalse
pathauth/token/create
period24h
policies[default secret-management]
renewabletrue
ttl23h59m39s
typeservice

Batch Token

vault token create -policy=kv2-management -type=batch -ttl=1h

Log output

KeyValue
accessorn/a
creation_time1755335083
creation_ttl1h
display_nametoken
entity_idn/a
expire_time2025-08-16T12:04:43+02:00
explicit_max_ttl0s
idhvb.AAAAAQLX
issue_time2025-08-16T11:04:43+02:00
meta
num_uses0
orphantrue
pathauth/token/create
policies[default kv2-management]
renewablefalse
ttl59m45s
typebatch

Orphaned Token with Explicit Max TTL

vault token create -policy=kv2-management -orphan -explicit-max-ttl=24h

Log output

KeyValue
accessoraiLPJrzGBU0lC1QdKDN1gHak
creation_time1755335696
creation_ttl24h
display_nametoken
entity_idn/a
expire_time2025-08-17T11:14:56.773281+02:00
explicit_max_ttl24h
idhvs.CAESIIpt
issue_time2025-08-16T11:14:56.77329+02:00
meta
num_uses0
orphantrue
pathauth/token/create
policies[default kv2-management]
renewabletrue
ttl23h59m44s
typeservice

vault token lookup

Shows all operational and metadata information about a token, including creation time, expiration timestamp, type, relationship, attached policies, and access paths. The token can be specified directly by its value or by its accessor.

vault token lookup $TOKEN

Log output (example)

KeyValue
accessore1FpV6OfhwrqwE8LWF0pldTN
creation_time1755361260
creation_ttl1h
display_nametoken
entity_idn/a
expire_time2025-08-16T18:52:24.218038+02:00
explicit_max_ttl24h
idhvs.CAESIPEd
issue_time2025-08-16T17:52:24.218038+02:00

(Additional fields omitted for brevity.)

Back to Blog

Related posts

Read more »