# Token

You created your first secret, learned about secrets engines and explored dynamic secrets with the Vault server you started in development mode.

In this tutorial, you will explore authentication with Vault tokens and GitHub credentials.

### Token authentication <a href="#token-authentication" id="token-authentication"></a>

Token authentication is automatically enabled. When you started the dev server, the output displayed a *root token*. The Vault CLI read the *root token* from the `$VAULT_TOKEN` environment variable. This *root token* can perform any operation within Vault because it is assigned the `root` policy. One capability is to create new tokens.

Create a new token.

```shell-session
$ vault token create
```

**Example output:**

```plaintext
Key                  Value
---                  -----
token                s.iyNUhq8Ov4hIAx6snw5mB2nL
token_accessor       maMfHsZfwLB6fi18Zenj3qh6
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]
```

The token is created and the output describes this token a table of keys and values. The created `token` is displayed here as `s.iyNUhq8Ov4hIAx6snw5mB2nL`.

This token is a child of the *root token*, and by default, it inherits the policies from its parent.

Token is the core authentication method. You can use the generated token to login with Vault, by copy and pasting it when prompted.

**Example:**

```shell-session
$ vault login
Token (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                s.iyNUhq8Ov4hIAx6snw5mB2nL
token_accessor       maMfHsZfwLB6fi18Zenj3qh6
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]
```

Create another token.

```shell-session
$ vault token create

Key                  Value
---                  -----
token                s.TsKT5ubouZ7TF26Eg7wNIl3k
token_accessor       b1d0curWHYqmgCndk0G1cM6R
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]
```

The token is created and displayed here as `s.TsKT5ubouZ7TF26Eg7wNIl3k`. Each `token` that Vault creates is unique.

When a token is no longer needed it can be revoked.

Revoke the first token you created.

**Example:**

```shell-session
$ vault token revoke s.iyNUhq8Ov4hIAx6snw5mB2nL

Success! Revoked token (if it existed)
```

The token has been revoked.

An attempt to login with the revoked token will result in an error.

```shell-session
$ vault login
Token (will be hidden):
Error authenticating: error looking up token: Error making API request.

URL: GET http://127.0.0.1:8200/v1/auth/token/lookup-self
Code: 403. Errors:

* permission denied
```

Revoking a token will also revoke all tokens that were created by the token.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.enclaive.cloud/vault/tutorials/cli/authentication/token.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.