Settings
Admin Tokens
Generate, rotate, and revoke console admin tokens with strong operational governance.
Operational guide to generate, rotate, and revoke admin tokens while minimizing exposure risk.
Generate
Create new token (1 year)
Rotate
Invalidate & replace
Revoke
Immediate invalidation
Audit
Track usage & age
Least Privilege
Limit who can issue
Compliance
Meet rotation policies
Token Basics
| Aspect | Value |
|---|---|
| Default Expiry | 1 year (newly generated) |
| Visibility | Shown once at creation dialog |
| Scope | Console administrative API operations |
| Not Available For | Super Admin accounts |
Copy token immediately; it cannot be retrieved later—only regenerated.
Generate Token
1
Navigate
Settings → Admin Users.
2
Options
Click ellipses … next to your admin user.
3
Generate
Select Generate new token.
4
Copy
Securely store in secrets manager.
5
Distribute
Limit distribution to required automation only.
Rotation Strategy
Planned Rotation
Planned Rotation
Generate replacement token → update dependent services → revoke old (grace window ≤24h).
Unplanned Rotation
Unplanned Rotation
Suspected leak → immediate revoke → generate new → notify stakeholders.
Inventory Tracking
Inventory Tracking
Maintain registry: owner, creation date, last used timestamp.
Automation Use
Automation Use
Prefer service-specific tokens rather than sharing a personal admin’s token.
Revoke Token
Admin revokes own token via same menu; session invalidated, re-login required.
Errors when revoking: non-admin attempts or unknown username.
Metrics
| Metric | Description | Threshold |
|---|---|---|
| Active Tokens | Count of valid admin tokens | Unexpected growth → audit issuance |
| Avg Token Age (days) | Mean age since creation | > 300 → schedule rotations |
| Orphan Tokens | Tokens with no recent usage (≥30d) | >0 → revoke |
| Compromise Incidents | Confirmed leaks | Any >0 → tighten issuance policy |
Troubleshooting
| Issue | Likely Cause | Fix |
|---|---|---|
| Cannot generate | Super Admin account | Use general admin account |
| Token lost | Not stored at creation | Generate new token; revoke old if still active |
| Script failing after rotation | Not updated credential | Update secret store & redeploy |
| Revocation error | Username mismatch | Verify exact admin username |