Skip to main content
Managing tokens effectively is crucial for secure, reliable access to Vault. By choosing the right token type, you can tailor authentication lifecycles to your application’s needs. This guide covers three core scenarios and shows you how to create:
  • Periodic service tokens for long-running applications
  • Service tokens with usage limits for sensitive actions
  • Orphan tokens with independent lifecycles

Periodic Service Tokens

For legacy or long-running applications that cannot handle token rotation, a periodic service token is ideal. It has a finite Time-To-Live (TTL) but no maximum TTL, so you can renew it indefinitely without changing the token string.
Periodic service tokens allow your application to continue using the same token for as long as needed, avoiding code changes for token refresh.
vault token create \
  -policy="your-policy" \
  -period="24h"
The image shows an app developer expressing a concern about a long-running app that cannot handle token regeneration, with a suggestion to use a periodic service token.

Service Tokens with Usage Limits

When you need a token to expire automatically after a set number of uses—such as for one-time administrative tasks—use a service token with the num_uses parameter. Vault revokes the token once it hits the usage threshold. 
vault token create \
  -policy="sensitive-action" \
  -num_uses=3
The image shows a cartoon of a principal engineer requesting a token that revokes automatically after one use, with a suggestion to use a service token with a use limit.

Orphan Tokens

To prevent your token’s lifecycle from being tied to a parent token—ensuring its expiration or revocation only follows its own rules—create an orphan token. This token has no parent relationship, giving you full control over its lifecycle.
Orphan tokens are not revoked automatically with their parent. Always plan for manual revocation to avoid orphaned credentials.
vault token create \
  -policy="independent-policy" \
  -orphan
The image shows a cartoon character labeled "DevOps Engineer" expressing a concern about token expiration being influenced by its parent, under the title "Controlling Token Lifecycle."

Summary Table

Below is a quick reference comparing each token type, its primary use case, and example CLI commands.
Token TypeUse CaseExample CLI
Periodic Service TokenLong-running apps needing indefinite renewalvault token create -policy="your-policy" -period="24h"
Service Token with Usage LimitOne-time or limited-use operationsvault token create -policy="sensitive-action" -num_uses=3
Orphan TokenIndependent lifecycle, unaffected by parentsvault token create -policy="independent-policy" -orphan
The image is a slide titled "Controlling Token Lifecycle" with a table summarizing challenges and solutions related to token management. It includes solutions like "Periodic Service Token" and "Orphan Service Token" for specific challenges.

Watch Video