Managing tokens

Use the DevOps API to generate or revoke an application token for specific roles.

You can use the DevOps API to perform the actions which are available to you through your role permissions.

The following roles can use the application token to use the DevOps API:

Organization Administrator
Database Administrator

Prerequisites

Create an application token to authenticate your service account in the DevOps API.
Once you have authenticated your service account, you can create and revoke tokens the DevOps API.

Alternative token management option

As an alternative to the DevOps API, consider using the Astra DB Plugin for HashiCorp Vault, for dynamic token management via vault commands. See the plugin’s documentation on our GitHub site.

Specifically, you can:

Define a default lease time
Create new tokens with lease settings
List tokens by each one’s Client ID
View lease details
List all leases
Renew a lease
Revoke a token/lease before the lease expires
Delete a token

Generating a token for client

Get all clients within the organization:

cURL command (/v2)
Result

curl --request GET \
 --url 'https://api.astra.datastax.com/v2/clientIdSecrets' \
 --header 'Accept: application/json' \
 --header 'Authorization: Bearer <application_token>'

{"clients":[
	{"clientId":"DkFtHKMhDQDuQtlExkSzwbya",
		"roles":["21ef3576-0197-415a-b167-d510af12ecf0"],
		"generatedOn":"2021-02-22T17:09:58.668Z"},
	{"clientId":"eYSboCJaESiblJZnKZWMxROv",
		"roles":["21ef3576-0197-415a-b167-d510af12ecf0"],
		"generatedOn":"2021-04-28T18:49:11.323Z"}
]}

Create an application token for a specific client:

cURL command (/v2)
Result

curl --request POST \
 --url 'https://api.astra.datastax.com/v2/clientIdSecrets' \
 --header 'Accept: application/json' \
 --header 'Authorization: Bearer <application_token>' \
 --data '{"roles": ["<roleId>"]}'

{
  "clientId":"zjCEYwRGWocLfQJHBNQxvorr",
  "secret":"SLR.cllL1YzfJDnl+YhUv5DMKlx8HaeMFTKjIJ4I6YdKB7w-K7U_+j-a9daWbbcp0uugXW,hb.3J2S0PPqDNhT6+oUiPYYaI+,xuwm2O97.ZpHcYvCsnlrTyl8w1pH-0",
  "orgId":"dccb8c32-cc2a-4bea-bd95-47ab8eb20510",
  "roles":["21ef3576-0197-415a-b167-d510af12ecf0"],
  "token":"AstraCS:zjCEYwRGWocLfQJHBNQxvorr:8709074baaf63e746cc5de52891e3a5ca88c73ae1fb7336652e9b59b9e69eff2",
  "generatedOn":"2021-04-30T19:38:26.147847107Z"
}

For the roleId, provide the relevant role’s id UUID value from a prior GET query, as shown in Getting existing roles in your organization. The API results will show the UUID for each role id.

Also refer to Generate token for client in the DevOps API.

Removing a token

When you remove a token, all users and roles assigned to that role will no longer have access.

Get a list of the available client IDs and secrets for your organization:

cURL command (/v2)
Result

curl --request GET \
 --url 'https://api.astra.datastax.com/v2/clientIdSecrets' \
 --header 'Accept: application/json' \
 --header 'Authorization: Bearer <application_token>'

{"clients":[
	{"clientId":"DkFtHKMhDQDuQtlExkSzwbya",
		"roles":["21ef3576-0197-415a-b167-d510af12ecf0"],
		"generatedOn":"2021-02-22T17:09:58.668Z"},
	{"clientId":"eYSboCJaESiblJZnKZWMxROv",
		"roles":["21ef3576-0197-415a-b167-d510af12ecf0"],
		"generatedOn":"2021-04-28T18:49:11.323Z"}
]}

Remove a token for a specific client ID:

curl --request DELETE \
 --url 'https://api.astra.datastax.com/v2/clientIdSecrets/<clientID>' \
 --header 'Accept: application/json' \
 --header 'Authorization: Bearer <application_token>'

Get a list of the available client IDs and secrets for your organization to confirm it was removed:

curl --request GET \
 --url 'https://api.astra.datastax.com/v2/clientIdSecrets' \
 --header 'Accept: application/json' \
 --header 'Authorization: Bearer <application_token>'

For more, see Revoke a token in the DevOps API.

What’s next?

You can now use your token to connect to the Astra DB APIs. See more about the available APIs: