Access Tokens

JFrog Platform Administration Documentation

Content Type
Administration / Platform
ft:sourceType
Paligo

You can manage Access tokens through REST APIs or through the JFrog Platform UI - in the administration module, go to User Management | Access Tokens.ACCESS TOKENS

You need to have admin privileges to create admin tokens. You can also create access tokens specific to your project if you are a project admin.

JFrog Access provides JFrog Products with access tokens as a flexible means of authentication with a wide range of capabilities.

  • Cross-instance authentication

    Access tokens can be used for authentication, not only by the instance or cluster where they were created but also for other instances and clusters that are all part of the same circle of trust.

  • User and non-user authentication

    The case for authenticating users is clear, however, access tokens can also be assigned to non-user entities such as CI server jobs.

  • Time-based access control

    Access tokens have an expiry period so you can control the period of time for which you grant access. However, you may also delegate that control to the receiving user by making them refreshable

  • Flexible scope

    By assigning Groups to tokens, you can control the level of access they provide.

  • Pairing tokens

    Manage connections between different JFrog microservices.

An access token has the following properties.

Property

Description

Subject

The user to which this access token is associated. If the user specified does not exist, the system will create a corresponding transient user. Administrators can assign a token to any subject (user); non-admin users who create tokens can only assign tokens to themselves.

When creating the access token, the subject parameter should be the same as the username. When deleting tokens, tokens of different users with the same subject name will be deleted by design.

Scope

The supported scopes include:

Since 7.21.1, access tokens are scoped tokens. Access to the REST API is always provided by default; in addition, you may specify the group memberships that the token provides. Administrators can set any scope, while non-admin users can only create Identity Tokens (user scope).

The supported scopes include:

  • applied-permissions/user - provides user access. If left at the default setting, the token will be created with the user-identity scope, which allows users to identify themselves in the Platform but does not grant any specific access permissions.

  • applied-permissions/admin - the scope assigned to admin users.

  • applied-permissions/groups - this scope assigns permissions to groups using the following format: applied-permissions/groups:<group-name>[,<group-name>...]

  • system:metrics:r- for getting the service metrics

  • system:livelogs:r - for getting the service live logs

  • applied-permissions/roles:project-key - provides access to elements associated with the project based on the project role. For example, applied-permissions/roles:project-key:developer,qa.

Note

The scope to assign to the token should be provided as a space-separated list of scope tokens, limited to 500 characters.

From Artifactory 7.84.3, project admins can create access tokens that are tied to the projects in which they hold administrative privileges.

Audience

The set of instances or clusters on which the token may be used identified by their Service IDs. The Service ID is a unique, internally generated identifier of a JFrog service or cluster and, in the case of Artifactory, is obtained through Get Service ID REST API endpoint.Get Service ID

Issuer

An identifier of the cluster on which the access token was created

Expiry

The date and time when the token will expire.

Issued At

The date and time when the token was created.

ID

The token ID