Notes on the Create Token API


  • The scope is checked and validated - the authenticated principal must have the proper permissions to create a token with the requested scope.

  • If the scope includes applied-permissions/user then the token's username must be a valid existing user that is enabled (and not locked or disabled).

  • Only an admin can set the username for a name that is not the same as the authenticated principal

  • Only an admin can create the token with a group's scope.

  • The grant type is expected to be client_credentials for this API call (this is the default value if not provided).

  • From Artifactory 7.50.3, the "force revocable" flag in the tokens has been removed as a default setting and is now a Boolean parameter called force_revocable in the Create Token REST API. When this parameter is set to true, we will add the force_revocable flag to the token's extension.

    In addition, a new configuration has been added that sets the default for setting the force_revocable default when creating a new token (the default of this configuration will be "false" to ensure that the Circle of Trust remains in place.)

Sample Usage:

curl -H "Authorization: Bearer <valid access token>" -XPOST "http://localhost:8082/access/api/v1/tokens" -d "scope=applied-permissions/user" 
  "token_id": "<id>"
  "access_token": "<access-token>",
  "refresh_token": "<refresh-token>",  // optional
  "expires_in": "<seconds>",             // optional      
  "scope": "applied-permissions/groups:<group-name>" 
  "scope": "applied-permissions/user",
  "token_type": "access_token"

This endpoint takes the following parameters:


[Optional, default: "client_credentials"]

The grant type used to authenticate the request. In this case, the only value supported is "client_credentials" which is also the default value if this parameter is not specified.


[Optional, default: "subject" from authentication token]

The user name for which this token is created. The username is based on the authenticated user - either from the user of the authenticated token or based on the username (if basic auth was used). The username is then used to set the subject of the token: <service-id>/users/<username>

Limited to 255 characters.


[Optional, default: applied-permissions/user]

The scope of access that the token provides. Access to the REST API is always provided by default. Administrators can set any scope, while non-admin users can only create Identity Tokens (user scope).

The supported scopes include:

  • applied-permissions/user - provides user access. If left at the default setting, the token will be created with the user-identity scope, which allows users to identify themselves in the Platform but does not grant any specific access permissions.

  • applied-permissions/admin - the scope assigned to admin users.

  • applied-permissions/groups - this scope assigns permissions to groups using the following format: applied-permissions/groups:<group-name>[,<group-name>...]

  • system:metrics:r- for getting the service metrics

  • system:livelogs:r - for getting the service livelogsr


The scope to assign to the token should be provided as a space-separated list of scope tokens, limited to 500 characters.


[Optional, default: 1 year]

The amount of time, in seconds, it would take for the token to expire.

An admin shall be able to set whether expiry is mandatory, what is the default expiry, and what is the maximum expiry allowed.

Must be non-negative.


[Optional, default: false]

The token is not refreshable by default.


[Optional, default: empty]

Free text token description. Useful for filtering and managing tokens.

Limited to 1024 characters.


[Optional, default: *@*]

A space-separated list of the other instances or services that should accept this token identified by their Service-IDs.

Limited to 255 characters.


[Optional, default: false]

Generate a Reference Token (alias to Access Token) in addition to the full token (available from Artifactory 7.38.10).


  • 400 - Invalid input, e.g., expires_invalue is not a number, non-positive number, etc.

  • 401- Unauthenticated

  • 403 - The requested token details are forbidden, e.g.expires_inprovided but is higher than the limit defined by the admin, the user does not have the permissions on the scope he requested, etc.