Token Types
As of Vault 1.0, there are two types of tokens: service tokens and batch tokens.
Root Tokens
Periodic Tokens
Service Tokens
Service tokens are what users will generally think of as "normal" Vault tokens. They support all features, such as renewal, revocation, creating child tokens, and more. They are correspondingly heavyweight to create and track.
»Batch Tokens
Batch tokens are encrypted blobs that carry enough information for them to be used for Vault actions, but they require no storage on disk to track them. As a result they are extremely lightweight and scalable, but lack most of the flexibility and features of service tokens.
Token Type Comparison
This reference chart describes the difference in behavior between service and batch tokens.
Service Tokens Batch Tokens
Can Be Root Tokens Yes No
Can Create Child Tokens Yes No
Can be Renewable Yes No
Can be Periodic Yes No
Can have Explicit Max TTL Yes No (always uses a fixed TTL)
Has Accessors Yes No
Has Cubbyhole Yes No
Revoked with Parent (if not orphan) Yes Stops Working
Dynamic Secrets Lease Assignment Self Parent (if not orphan)
Can be Used Across Performance Replication Clusters No Yes (if orphan)
Creation Scales with Performance Standby Node Count No Yes
Cost Heavyweight; multiple storage writes per token creation Lightweight; no storage cost for token creation
Top comments (0)