Create Token (Deprecated)


JFrog Xray
Content Type


This API is being deprecated and replaced by the Access Tokens API.

Description: Creates an access token

Since: 5.0.0

Security: Requires a valid user Usage: POST /api/security/token

Content-Type: application/x-www-form-urlencoded

Produces: application/json

   "access_token":   "<the access token>",
   "expires_in":    <Validity period in seconds>,
   "scope":         "<access scope>",
   "token_type":    "Bearer",
   "refresh_token": "<the refresh token if access_token is refreshable>"

Sample Usage:

curl -uadmin:password -XPOST "http://localhost:8081/artifactory/api/security/token" -d "username=johnq" -d "scope=member-of-groups:readers"
   "access_token":   "adsdgbtybbeeyh...",
   "expires_in":    3600,
   "scope":         "api:* member-of-groups:readers",
   "token_type":    "Bearer",
   "refresh_token": "fgsfgsdugh8dgu9s8gy9hsg..."

This endpoint takes the following parameters:


[Optional, default: "client_credentials"]

The grant type used to authenticate the request. In this case, the only value supported is "client_credentials" which is also the default value if this parameter is not specified.


The user name for which this token is created. If the user does not exist, a transient user is created. Non-admin users can only create tokens for themselves so they must specify their own username.

If the user does not exist, the member-of-groups scope token must be provided (e.g. member-of-groups: g1, g2, g3...)


The scope to assign to the token provided as a space-separated list of scope tokens. Currently there are three possible scope tokens:

  • "api:*" - indicates that the token grants access to REST API calls. This is always granted by default whether specified in the call or not.

  • member-of-groups:[<group-name>] - indicates the groups that the token is associated with (e.g.member-of-groups: g1, g2, g3...). The token grants access according to the permission targets specified for the groups listed.

    Space in a group name

    If any of the group names includes a space character, the whole value should be enclosed in escaped quotation marks. For example:

    scope=member-of-groups:\"readers,test group\"

    Specify "*" for group-name to indicate that this is a "user-scoped token", i.e., the token provides the same access privileges that the current subject, as specified in the username parameter, has, and is therefore evaluated dynamically.

    A non-admin user can only provide a scope that is a subset of the groups to which the user belongs.

  • "jfrt@<instance-id>:admin" - provides admin privileges on the specified Artifactory instance. This is only available for administrators.


[Optional, default: 3600]

The time in seconds for which the token will be valid. To specify a token that never expires, set to zero. Non-admin can only set a value that is equal to or less than the default 3600.


[Optional, default: false]

If true, this token is refreshable and the refresh token can be used to replace it with a new token once it expires.


[Optional, default: Only the service ID of the Artifactory instance that created the token]

A space-separate list of the other Artifactory instances or services that should accept this token identified by their Artifactory Service IDs as obtained from the Get Server ID endpoint.

In case you want the token to be accepted by all Artifactory instances you may use the following audience parameter "audience=jfrt@*".