By default, some cluster-level API tokens are generated with infinite time-to-live (
ttl=0). In other words, API tokens with
ttl=0 never expire unless you invalidate them. Tokens are not invalidated by changing a password.
You can deactivate API tokens by deleting them or by deactivating the user account.
To delete a token,
Go to the list of all tokens in the Rancher API view at
Access the token you want to delete by its ID. For example,
Here is the complete list of tokens that are generated with
||Token for agent deployment|
||Token for compose|
||Token for Helm chart deployment|
||Pipeline token for project|
||Token for drain (we use
Setting TTL on Kubeconfig Tokens
Admins can set a global TTL on Kubeconfig tokens. Once the token expires the kubectl command will require the user to authenticate to Rancher.
Go to the global settings and:
- Set the
false. This setting instructs Rancher to no longer automatically generate a token when a user clicks on download a kubeconfig file. The kubeconfig file will now provide a command to login to Rancher.
Note: Once this setting is deactivated, a generated kubeconfig will reference the Rancher CLI to retrieve a short lived token for the cluster. When you use this kubeconfig in a client, such as
kubectl, the Rancher CLI needs to be installed as well.
- Set the
kubeconfig-token-ttl-minutessetting to the desired duration in minutes. By default,
kubeconfig-token-ttl-minutesis 960 (16 hours).
Note: This value cannot exceed max-ttl of API tokens.(
auth-token-max-ttl-minutes is set to 1440 (24 hours) by default.
auth-token-max-ttl-minutes would default to 0 allowing tokens to never expire.
Users can enable token hashing, where tokens will undergo a one-way hash using the SHA256 algorithm. This is a non-reversible process, once enabled, this feature cannot be disabled. It is advisable to take backups prior to enabling and/or evaluated in a test environment first.
To enable token hashing, refer to this section.
This feature will affect all tokens which include, but are not limited to, the following:
- Kubeconfig tokens
- Bearer tokens API keys/calls
- Tokens used by internal operations