Introduction to Access Tokens

JFrog Platform Administration Documentation
ft:sourceType
Paligo

About Access Tokens

JFrog Access provides JFrog Products with access tokens as a flexible means of authentication with a wide range of capabilities:

  • Cross-instance authentication Access tokens can be used for authentication, not only by the instance or cluster where they were created but also for other instances and clusters that are all part of the same "circle of trust" (described below).

  • User and non-user authentication The case for authenticating users is clear, however, access tokens can also be assigned to non-user entities such as CI server jobs.

  • Time-based access control

    Access tokens have an expiry period so you can control the period of time for which you grant access. However, you may also delegate that control to the receiving user by making them refreshable

  • Flexible scope By assigning Groups to tokens, you can control the level of access they provide.

  • Pairing tokens Manage connections between different JFrog microservices.

UI Changes implemented in Artifactory 7.38.x and above

Identity and Access is now called User Management. All the relevant text and images on this page have been updated to reflect this change.

Access Token Structure

An access token has the following properties:

Property

Description

Subject

The user to which this access token is associated. If the user specified does not exist, the system will create a corresponding transient user. Administrators can assign a token to any subject (user); non-admin users who create tokens can only assign tokens to themselves.

When creating the access token, the subject parameter should be the same as the username. When deleting tokens, tokens of different users with the same subject name will be deleted by design.

Scope

The supported scopes include:

Since 7.21.1, access tokens are scoped tokens. Access to the REST API is always provided by default; in addition, you may specify the group memberships that the token provides. Administrators can set any scope, while non-admin users can only createIdentity Tokens (user scope).

The supported scopes include:

  • applied-permissions/user - provides user access. If left at the default setting, the token will be created with the user-identity scope, which allows users to identify themselves in the Platform but does not grant any specific access permissions.

  • applied-permissions/admin - the scope assigned to admin users.

  • applied-permissions/groups - this scope assigns permissions to groups using the following format: applied-permissions/groups:<group-name>[,<group-name>...]

  • system:metrics:r- for getting the service metrics

  • system:livelogs:r - for getting the service livelogsr

Note

The scope to assign to the token should be provided as a space-separated list of scope tokens, limited to 500 characters.

Audience

The set of instances or clusters on which the token may be used identified by their Service IDs. The Service ID is a unique, internally generated identifier of a JFrog service or cluster and, in the case of Artifactory, is obtained through Get Service ID REST API endpoint.Get Service ID

Issuer

An identifier of the cluster on which the access token was created

Expiry

The date and time when the token will expire.

Issued At

The date and time when the token was created.

ID

The token ID

Access tokens are managed either through REST APIs, as described below, or through the JFrog Platform Access Token UI.ACCESS TOKENS