Create Token

JFrog REST APIs

Products
JFrog Xray
Content Type
REST API
ft:sourceType
Paligo

Description: Creates an access token for the JFrog Platform. Only internal Artifactory users can generate a token using basic credentials via REST API.

Since: 7.21.1

Security: Requires a valid token or user credentials. You cannot create token by using basic credentials if you enabled multi-factor authentication.

You can create tokens at the project level, if you are a project admin. For more information, see Access Token Creation by Project Admins.Access Token Creation by Project Admins

You can create tokens through the JFrog Platform UI. For more information, see Access Tokens.Access Tokens

If you use basic credentials, you must enable creation of tokens in the JFrog Platform UI. For more information, see Enable Token Generation via API . You cannot create a token through a REST API if you enabled multi-factor authentication in the system.Enable Token Generation via API

Usage: POST /access/api/v1/tokens

Content-Type: application/x-www-form-urlencoded or application/json (both are supported)

Produces: application/json

This endpoint takes the following parameters:

Parameter

Description

grant_type

[Optional, default: "client_credentials"]

The grant type used to authenticate the request. In this case, the only value supported is "client_credentials" which is also the default value if this parameter is not specified.

username

[Optional, default: "subject" from authentication token]

The user name for which this token is created. The username is based on the authenticated user - either from the user of the authenticated token or based on the username (if basic auth was used). The username is then used to set the subject of the token: <service-id>/users/<username>

Limited to 255 characters.

scope

[Optional, default: applied-permissions/user]

The scope of access that the token provides. Access to the REST API is always provided by default. Administrators can set any scope, while non-admin users can only create Identity Tokens (user scope).

The supported scopes include:

  • applied-permissions/user - provides user access. If left at the default setting, the token will be created with the user-identity scope, which allows users to identify themselves in the Platform but does not grant any specific access permissions.

  • applied-permissions/admin - the scope assigned to admin users.

  • applied-permissions/groups - this scope assigns permissions to groups using the following format: applied-permissions/groups:<group-name>[,<group-name>...]

  • system:metrics:r - for getting the service metrics

  • system:livelogs:r - for getting the service live logs

  • applied-permissions/roles:project-name - provides access to elements associated with the project based on the project role. For example, applied-permissions/roles:project-name:developer,qa.

Note

The scope to assign to the token should be provided as a space-separated list of scope tokens, limited to 500 characters.

expires_in

[Optional, default: 1 year]

The amount of time, in seconds, it would take for the token to expire.

An admin shall be able to set whether expiry is mandatory, what is the default expiry, and what is the maximum expiry allowed.

Must be non-negative.

refreshable

[Optional, default: false]

The token is not refreshable by default.

description

[Optional, default: empty]

Free text token description. Useful for filtering and managing tokens.

Limited to 1024 characters.

audience

[Optional, default: *@*]

A space-separated list of the other instances or services that should accept this token identified by their Service-IDs.

Limited to 255 characters.

include_reference_token

[Optional, default: false]

Generate a Reference Token (alias to Access Token) in addition to the full token (available from Artifactory 7.38.10).

Consider the following points when you use the Create Token API.

  • The scope is checked and validated - the authenticated principal must have the proper permissions to create a token with the requested scope.

  • If the scope includes applied-permissions/user then the token's username must be a valid existing user that is enabled (and not locked or disabled).

  • Only an admin can set the username for a name that is not the same as the authenticated principal

  • Only an admin can create the token with a group's scope.

  • The grant type is expected to be client_credentials for this API call (this is the default value if not provided).

  • From Artifactory 7.50.3, the "force revocable" flag in the tokens has been removed as a default setting and is now a Boolean parameter called force_revocable in the Create Token REST API. When this parameter is set to true, we will add the force_revocable flag to the token's extension.

    In addition, a new configuration has been added that sets the default for setting the force_revocable default when creating a new token (the default of this configuration will be "false" to ensure that the Circle of Trust remains in place.)

  • From Artifactory 7.63.2, users with basic credentials can create tokens through the REST API.

    If you use basic credentials, you must enable creation of tokens in the JFrog Platform UI. For more information, see Enable Token Generation via API . You cannot create a token through a REST API if you enabled multi-factor authentication in the system.Enable Token Generation via API