github.com/dahs81/otto@v0.2.1-0.20160126165905-6400716cf085/website/source/docs/concepts/tokens.html.md (about)

     1  ---
     2  layout: "docs"
     3  page_title: "Tokens"
     4  sidebar_current: "docs-concepts-tokens"
     5  description: |-
     6    Tokens are a core authentication method in Vault. Child tokens, token-based revocation, and more.
     7  ---
     8  
     9  # Tokens
    10  
    11  Tokens are the core method for _authentication_ within Vault. Tokens
    12  can be used directly or [authentication backends](/docs/concepts/auth.html)
    13  can be used to dynamically generate tokens based on external identities.
    14  
    15  If you've gone through the getting started guide, you probably noticed that
    16  `vault server -dev` (or `vault init` for a non-dev server) outputs an
    17  initial "root token." This is the first method of authentication for Vault.
    18  It is also the only authentication backend that cannot be disabled.
    19  
    20  As stated in the [authentication concepts](/docs/concepts/auth.html),
    21  all external authentication mechanisms such as GitHub map down to dynamically
    22  created tokens. These tokens have all the same properties as a normal
    23  manually created token.
    24  
    25  On this page, we'll show you how to create and manage tokens.
    26  
    27  ## Token Creation
    28  
    29  Tokens are created via the API or using `vault token-create` from the CLI.
    30  This will create a new token that is a child of the currently authenticated
    31  token. As a child, the new token will automatically be revoked if the parent
    32  is revoked.
    33  
    34  If you're logged in as root, you can create an _orphan_ token by
    35  specifying the `-orphan` flag. An orphan token has no parent, and therefore
    36  when your token is revoked, it will not revoke the orphan.
    37  
    38  Metadata associated with the token with `-metadata` is used to annotate
    39  the token with information that is added to the audit log.
    40  
    41  Finally, the `-policy` flag can be used to set the policies associated
    42  with the token. Learn more about policies on the
    43  [policies concepts](/docs/concepts/policies.html) page.
    44  
    45  ## Token Leases
    46  
    47  Every token has a lease associated with it. These leases behave in much
    48  the same way as [leases for secrets](/docs/concepts/lease.html). After
    49  the lease period is up, the token will no longer function. In addition
    50  to no longer functioning, Vault will revoke it.
    51  
    52  In order to avoid your token being revoked, the `vault token-renew`
    53  command should be used to renew the lease on the token periodically.
    54  
    55  After a token is revoked, all of the secrets in use by that token will
    56  also be revoked. Therefore, if a user requests AWS access keys, for example,
    57  then after the token expires the AWS access keys will also be expired even
    58  if they had remaining lease time.