1--- 2layout: "guides" 3page_title: "Tokens and Leases - Guides" 4sidebar_title: "Tokens and Leases" 5sidebar_current: "guides-identity-lease" 6description: |- 7 Tokens are the core method for authentication within Vault. For every 8 authentication token and dynamic secret, Vault creates a lease 9 containing information such as duration, renewability, and more. 10 Understanding the lifecycle of leases means understanding the lifecycle of 11 tokens in some sense. 12--- 13 14# Tokens and Leases 15 16Almost everything in Vault has an associated lease, and when the lease is 17expired, the secret is revoked. Tokens are not an exception. Every non-root 18token has a time-to-live (TTL) associated with it. When a token expires and it's 19not renewed, the token is automatically revoked. 20 21## Lease Hierarchy 22 23When a new token or secret is created, it is a child of the creator. If the 24parent is revoked or expires, so do all its children regardless of their own 25leases. A child may be a token, secret, or authentication created by a parent. A 26parent is almost always a **token**. 27 28Suppose a hierarchy exists with respective TTL as follows: 29 30``` 31 b519c6aa... (3h) 32 6a2cf3e7... (4h) 33 1d3fd4b2... (1h) 34 794b6f2f... (2h) 35``` 36 37In this scenario, the lease ID of `1d3fd4b2..` will expire in an hour. If a 38token or secret with a lease is not renewed before the lease expires, it will be 39revoked by the Vault server. When it's revoked, it takes its child 40(`794b6f2f...`) although the child has one more hour before it expires. Then, 41two hours later, `b519c6aa...` will be revoked and takes its child 42(`6a2cf3e7...`) with it. 43 44 45## Reference Material 46 47- The [Validation](/guides/secret-mgmt/dynamic-secrets.html#validation) section of the 48[Secret as a Service](/guides/secret-mgmt/dynamic-secrets.html) guide demonstrates lease 49renewal and revocation 50- [Tokens documentation](/docs/concepts/tokens.html) 51- [Token Auth Method (API)](/api/auth/token/index.html) 52- [Lease, Renew, and Revoke](/docs/concepts/lease.html) 53 54~> **NOTE:** An [interactive 55tutorial](https://www.katacoda.com/hashicorp/scenarios/vault-tokens) is 56also available if you do not have a Vault environment to perform the steps 57described in this guide. 58 59## Estimated Time to Complete 60 6110 minutes 62 63## Personas 64 65The end-to-end scenario described in this guide involves one persona: 66 67- **`admin`** with privileged permissions to create and manage tokens 68 69See the [policy requirements](#policy-requirements) section for details. 70 71## Challenge 72 73Consider the following scenarios often encountered outside of Vault: 74 75- There is no **break glass** procedure available for revoking 76access to credentials in the event of a breach 77- Credentials for external systems (e.g. AWS, MySQL) are shared 78- Need temporal access to a database in a specific scenario 79 80## Solution 81 82Vault has built-in support for secret revocation. Vault can revoke not only 83a single secret, but also a tree of secrets. For example, Vault can revoke all 84secrets read by a specific **user** or all secrets of a specific **type**. 85Revocation assists in key rolling as well as locking down systems in the case of 86an intrusion. 87 88If a user or machine needs a temporal access to Vault, you can set a short TTL 89or a number of uses to a token so the token is automatically revoked at the 90end of its life. 91 92This also allows for organizations to plan and train for various 93"break glass" procedures. 94 95## Prerequisites 96 97To perform the tasks described in this guide, you need to have a Vault 98environment. Refer to the [Getting 99Started](/intro/getting-started/install.html) guide to install Vault. Make sure 100that your Vault server has been [initialized and 101unsealed](/intro/getting-started/deploy.html). 102 103 104### Policy requirements 105 106-> **NOTE:** For the purpose of this guide, you can use the **`root`** token to work 107with Vault. However, it is recommended that root tokens are used for just 108enough initial setup or in emergencies. As a best practice, use tokens with 109an appropriate set of policies based on your role in the organization. 110 111To perform all tasks demonstrated in this guide, your policy must include the 112following permissions: 113 114```shell 115# List available auth method - Step 1 116path "sys/auth" { 117 capabilities = [ "read" ] 118} 119 120# Read default token configuration 121path "sys/auth/token/tune" { 122 capabilities = [ "read", "sudo" ] 123} 124 125# Create and manage tokens (renew, lookup, revoke, etc.) 126path "auth/token/*" { 127 capabilities = [ "create", "read", "update", "delete", "list", "sudo" ] 128} 129 130# For Advanced Features - list available secret engines 131path "sys/mounts" { 132 capabilities = [ "read" ] 133} 134 135# For Advanced Features - tune the database secret engine TTL 136path "sys/mounts/database/tune" { 137 capabilities = [ "update" ] 138} 139``` 140 141If you are not familiar with policies, complete the 142[policies](/guides/identity/policies.html) guide. 143 144 145## Steps 146 147Tokens are the core method for authentication within Vault. Tokens can be used 148directly or dynamically generated by the auth methods. Regardless, the clients 149need valid tokens to interact with Vault. 150 151This guide demonstrates the lifecycle of tokens. 152 1531. [Read token auth method configuration](#step1) 1541. [Create short-lived tokens](#step2) 1551. [Create tokens with use limit](#step3) 1561. [Periodic tokens](#step4) 1571. [Orphan tokens](#step5) 1581. [Revoke tokens](#step6) 159 160 161### <a name="step1"></a>Step 1: Read token auth method configuration 162 163When you create leases with no specific TTL values, the default value applies 164to the lease. 165 166```shell 167$ vault auth list 168 169Path Type Accessor Default TTL Max TTL Replication Behavior Description 170approle/ approle auth_approle_53f0fb08 system system replicated 171github/ github auth_github_b770f4c8 system system replicated 172token/ token auth_token_2ad69043 system system replicated token based credentials 173userpass/ userpass auth_userpass_d326d2f9 system system replicated 174``` 175 176The system max TTL is **32 days**, but you can override it to be longer or 177shorter in Vault's configuration file. 178 179Another option is to tune the mount configuration to override the system 180defaults by calling the **`/sys/mounts/<PATH>/tune`** endpoint (e.g. 181`/sys/mounts/database/tune`). For the auth method system configuration, call 182**`/sys/auth/<METHOD>/tune`** endpoint. 183 184NOTE: Refer to the [Advanced Features](#advanced-features) section for tuning 185the system configuration. 186 187#### CLI command 188 189Read the default TTL settings for **token** auth method: 190 191```shell 192$ vault read sys/auth/token/tune 193 194Key Value 195--- ----- 196default_lease_ttl 2764800 197force_no_cache false 198max_lease_ttl 2764800 199``` 200 201#### API call using cURL 202 203Use `/sys/auth/token/tune` endpoint to read the default TTL settings for **token** auth 204method: 205 206```shell 207$ curl --header "X-Vault-Token: <TOKEN>" \ 208 --request GET \ 209 <VAULT_ADDRESS>/v1/sys/auth/token/tune 210``` 211 212Where `<TOKEN>` is your valid token with read permission on the 213`sys/auth/token/tune` path. 214 215**Example:** 216 217```shell 218$ curl --header "X-Vault-Token: ..." --request GET \ 219 http://127.0.0.1:8200/v1/sys/auth/token/tune | jq 220{ 221 "default_lease_ttl": 2764800, 222 "max_lease_ttl": 2764800, 223 "force_no_cache": false, 224 "request_id": "630fd49d-f704-540f-0641-41516087654f", 225 "lease_id": "", 226 "renewable": false, 227 "lease_duration": 0, 228 "data": { 229 "default_lease_ttl": 2764800, 230 "force_no_cache": false, 231 "max_lease_ttl": 2764800 232 }, 233 "wrap_info": null, 234 "warnings": null, 235 "auth": null 236} 237``` 238 239-> **NOTE:** The returned TTL value is in seconds (2764800 seconds = 32 days). 240 241### <a name="step2"></a>Step 2: Create short-lived tokens 242 243Create a new token with TTL of 30 seconds which means that the token gets 244automatically revoked after 30 seconds. 245 246#### CLI command 247 248To view optional parameters to create tokens: 249 250```shell 251$ vault token create -help 252``` 253 254There are a number of parameters you can set. To specify the token TTL, pass 255the value using `-ttl` parameter. 256 257**Example:** 258 259```shell 260# Create a token with TTL of 30 seconds 261$ vault token create -ttl=30s 262Key Value 263--- ----- 264token 3b2b1285-844b-4b40-6afa-623f39c1b738 265token_accessor 2b2b5b83-7f22-fecd-03f0-4e25bf64da11 266token_duration 30s 267token_renewable true 268token_policies [admin] 269 270# Test the new token 271$ VAULT_TOKEN=3b2b1285-844b-4b40-6afa-623f39c1b738 vault token lookup 272Key Value 273--- ----- 274accessor 2b2b5b83-7f22-fecd-03f0-4e25bf64da11 275creation_time 1515702047 276creation_ttl 30 277display_name token 278expire_time 2018-01-11T20:21:17.900969673Z 279explicit_max_ttl 0 280id 3b2b1285-844b-4b40-6afa-623f39c1b738 281issue_time 2018-01-11T20:20:47.90096937Z 282meta <nil> 283num_uses 0 284orphan false 285path auth/token/create 286policies [admin] 287renewable true 288ttl 8 289``` 290 291**NOTE:** The `vault token lookup` command returns the token's properties. 292In this example, it shows that this token has 8 more seconds before it expires. 293 294When you execute a Vault command using the new token immediately following its 295creation, it should work. Wait for 30 seconds and try again. It returns 296**`Code: 403. Errors:`** which indicates a forbidden API call due to expired 297token usage. 298 299 300You can **renew** the token's TTL as long as the token has not expired. 301 302```shell 303$ vault token renew <TOKEN> 304``` 305 306If you want to renew and extend the token's TTL, pass the desired extension: 307 308```shell 309$ vault token renew <TOKEN> <EXTENSION> 310``` 311 312Or with revamped cli: 313 314```shell 315$ vault token renew -increment=<EXTENSION> <TOKEN> 316``` 317 318The extension value can be an integer number of seconds (e.g. 3600) or a string 319duration (e.g. "1h"). 320 321 322#### API call using cURL 323 324Use the `auth/token/create` endpoint to create a new token. There are a number of 325optional [parameters](/api/auth/token/index.html#create-token) that you can pass 326in the request payload. 327 328**Example:** 329 330The following example sets the `ttl` parameter. 331 332```shell 333# Create a new token with TTl of 30 seconds 334$ curl --header "X-Vault-Token: ..." --request POST \ 335 --data '{"ttl": "30s"}' \ 336 http://127.0.0.1:8200/v1/auth/token/create | jq 337{ 338 ... 339 "auth": { 340 "client_token": "f7d88963-1aba-64d7-11a0-9282ae7681d0", 341 "accessor": "c0a40d94-b814-e46f-7e56-ee18fccdf1b6", 342 "policies": [ 343 "admin" 344 ], 345 "metadata": null, 346 "lease_duration": 30, 347 "renewable": true 348 } 349} 350 351# Pass the returned token (`client_token`) in the `X-Vault-Token` header to test 352$ curl --header "X-Vault-Token: f7d88963-1aba-64d7-11a0-9282ae7681d0" \ 353 --request GET \ 354 http://127.0.0.1:8200/v1/auth/token/lookup-self | jq 355{ 356 ... 357 "data": { 358 "accessor": "c0a40d94-b814-e46f-7e56-ee18fccdf1b6", 359 "creation_time": 1515702669, 360 "creation_ttl": 30, 361 ... 362 "renewable": true, 363 "ttl": 14 364 }, 365 ... 366} 367``` 368 369When you invoke the API using the new token immediately following its 370creation, it should work. Wait for 30 seconds and try again. It returns 371**`Code: 403. Errors:`** which indicates a forbidden API call due to expired 372token usage. 373 374#### Renew the token: 375 376```shell 377$ curl --header "X-Vault-Token: ..." --request POST \ 378 http://127.0.0.1:8200/v1/auth/token/renew/<TOKEN> | jq 379 380# Renew token with 1 hour extension 381$ curl --header "X-Vault-Token: ..." --request POST \ 382 --data '{"increment": "3600"}' \ 383 http://127.0.0.1:8200/v1/auth/token/renew/<TOKEN> | jq 384``` 385 386-> **NOTE:** Tokens can be renewed as long as its life hasn't reached its max 387TTL. For example, if the token's TTL is 1 hour and max TTL is 24 hours, you can 388renew the token up to 24 hours from its creation time. Once 24 hours has passed from 389the token's creation time, the token is revoked by Vault. For long running 390processes, this may introduce complexity. In such case, use [periodic tokens](#step4). 391 392 393### <a name="step3"></a>Step 3: Create tokens with use limit 394 395In addition to TTL and max TTL, tokens may be limited to a number of uses. Use 396limit tokens expire at the end of their last use regardless of their remaining 397TTLs. On the same note, use limit tokens expire at the end of their TTLs 398regardless of their remaining uses. 399 400To create tokens with a use limit, set the number of uses when you 401create them. 402 403#### CLI command 404 405Create a token with the `-use-limit` property argument. 406 407**Example:** 408 409```shell 410$ vault token create -policy=default -use-limit=2 411 412Key Value 413--- ----- 414token bd39178e-176e-cc91-3930-94f7b0194de5 415token_accessor a230f5ab-b59f-db0b-855d-36ea4319b58e 416token_duration 768h0m0s 417token_renewable true 418token_policies [default] 419``` 420 421This creates a token with the _default_ policy and a use limit of 2. 422 423#### Verification 424 425```shell 426$ VAULT_TOKEN=bd39178e-176e-cc91-3930-94f7b0194de5 vault token lookup 427 428Key Value 429--- ----- 430accessor a230f5ab-b59f-db0b-855d-36ea4319b58e 431creation_time 1515710251 432creation_ttl 2764800 433display_name token 434expire_time 2018-02-12T22:37:31.715486503Z 435explicit_max_ttl 0 436id bd39178e-176e-cc91-3930-94f7b0194de5 437issue_time 2018-01-11T22:37:31.715486221Z 438meta <nil> 439num_uses 1 440orphan false 441path auth/token/create 442policies [default] 443renewable true 444ttl 2764769 445 446 447$ VAULT_TOKEN=bd39178e-176e-cc91-3930-94f7b0194de5 vault write cubbyhole/token \ 448 value=bd39178e-176e-cc91-3930-94f7b0194de5 449 450Success! Data written to: cubbyhole/token 451 452 453$ VAULT_TOKEN=bd39178e-176e-cc91-3930-94f7b0194de5 vault read cubbyhole/token 454Error reading cubbyhole/token: Error making API request. 455 456URL: GET http://127.0.0.1:8200/v1/cubbyhole/token 457Code: 403. Errors: 458 459* permission denied 460``` 461 462The first command read the token's properties and then wrote a value to the cubbyhole 463secret engine. This exhausted the use limit of 2 for this token. Therefore, 464the attempt to read the secret from the cubbyhole failed. 465 466 467#### API call using cURL 468 469Set the `num_uses` property in the request payload. 470 471```plaintext 472$ curl --header "X-Vault-Token: ..." --request POST \ 473 --data '{ "policies": ["default"], "num_uses":2 }' \ 474 http://127.0.0.1:8200/v1/auth/token/create | jq 475{ 476 "request_id": "0e98ff80-2825-7f50-6522-b6f95d596ef4", 477 "lease_id": "", 478 "renewable": false, 479 "lease_duration": 0, 480 "data": null, 481 "wrap_info": null, 482 "warnings": null, 483 "auth": { 484 "client_token": "d9c2f2e5-6b8a-4021-476c-ebd3f166d668", 485 "accessor": "4dd5ef0d-8515-c3ae-ea49-016c3e9eb968", 486 "policies": [ 487 "default" 488 ], 489 "metadata": null, 490 "lease_duration": 2764800, 491 "renewable": true 492 } 493} 494``` 495 496This creates a token with the _default_ policy and a use limit of 2. 497 498#### Verification 499 500```text 501$ curl --header "X-Vault-Token: d9c2f2e5-6b8a-4021-476c-ebd3f166d668" \ 502 --request GET \ 503 http://127.0.0.1:8200/v1/auth/token/lookup-self | jq 504{ 505 "request_id": "77be1321-c0ca-e099-6f92-4ad87133b044", 506 "lease_id": "", 507 "renewable": false, 508 "lease_duration": 0, 509 "data": { 510 "accessor": "4dd5ef0d-8515-c3ae-ea49-016c3e9eb968", 511 "creation_time": 1515711922, 512 "creation_ttl": 2764800, 513 "display_name": "token", 514 "expire_time": "2018-02-12T23:05:22.746137253Z", 515 "explicit_max_ttl": 0, 516 "id": "d9c2f2e5-6b8a-4021-476c-ebd3f166d668", 517 "issue_time": "2018-01-11T23:05:22.746136892Z", 518 "meta": null, 519 "num_uses": 1, 520 ... 521} 522 523$ curl --header "X-Vault-Token: d9c2f2e5-6b8a-4021-476c-ebd3f166d668" \ 524 --request POST \ 525 --data '{ "value": "d9c2f2e5-6b8a-4021-476c-ebd3f166d668" }' \ 526 http://127.0.0.1:8200/v1/cubbyhole/token 527 528 529$ curl --header "X-Vault-Token: d9c2f2e5-6b8a-4021-476c-ebd3f166d668" \ 530 --request GET \ 531 http://127.0.0.1:8200/v1/cubbyhole/token | jq 532{ 533 "errors": [ 534 "permission denied" 535 ] 536} 537``` 538 539The first command read the token's properties and then wrote a value to the cubbyhole 540secret engine. This exhausted the use limit of 2 for this token. Therefore, 541the attempt to read the secret from the cubbyhole failed. 542 543 544 545### <a name="step4"></a>Step 4: Periodic tokens 546 547**Root** or **sudo** users have the ability to generate **periodic tokens**. 548Periodic tokens have a TTL, but no max TTL; therefore, they may live for an 549infinite duration of time so long as they are renewed within their TTL. This 550is useful for long-running services that cannot handle regenerating a token. 551 552#### CLI command 553 554First, create a token role with a specific `period`. When you set `period`, 555tokens created for this role will have no max TTL. Instead, the `period` becomes 556the token renewal period. This value can be an integer value in seconds (e.g. 5572764800) or a string duration (e.g. 72h). 558 559```shell 560$ vault write auth/token/roles/<ROLE_NAME> allowed_policies="<POLICY_NAMES>" period=<RENEWAL_PERIOD> 561``` 562 563**Example:** 564 565```shell 566$ vault write auth/token/roles/zabbix allowed_policies="default" period="24h" 567``` 568 569Now, generate a token: 570 571```shell 572$ vault token create -role=zabbix 573 574Key Value 575--- ----- 576token de91ebba-20ad-18ba-fa43-08e1932de301 577token_accessor 1f8abad0-c1db-9399-15ee-dd4b6230386c 578token_duration 24h0m0s 579token_renewable true 580token_policies [default] 581``` 582 583 584#### API call using cURL 585 586First, create a token role by setting `period`. When you set `period`, tokens 587created for this role will have no max TTL. Instead, the `period` becomes the 588token renewal period. This value can be an integer value in seconds (e.g. 5892764800) or a string duration (e.g. 72h). 590 591**Example:** 592 593```shell 594# API request payload 595$ tee payload.json <<EOF 596{ 597 "allowed_policies": [ 598 "default" 599 ], 600 "period": "24h" 601} 602EOF 603 604# Create a token role called 'zabbix' 605$ curl --header "X-Vault-Token: ..." --request POST \ 606 --data @payload.json \ 607 http://127.0.0.1:8200/v1/auth/token/roles/zabbix 608``` 609 610This creates a token role named `zabbix` with `default` policies attached. 611Its renewal period is set to 24 hours. 612 613Now, generate a token: 614 615```plaintext 616$ curl --header "X-Vault-Token: ..." --request POST \ 617 http://127.0.0.1:8200/v1/auth/token/create/zabbix | jq 618{ 619 ... 620 "auth": { 621 "client_token": "a59c0d41-8df7-ba8e-477e-9bfb394f28a0", 622 "accessor": "c2023006-ce8d-532b-136f-330223ccf464", 623 "policies": [ 624 "default" 625 ], 626 "metadata": null, 627 "lease_duration": 86400, 628 "renewable": true, 629 "entity_id": "" 630 } 631``` 632 633Generated tokens are renewable indefinitely as long as they are renewed 634before the lease duration expires. The token renew command was covered in 635[Step 2](#step2). 636 637 638#### Additional Note: Periodic Tokens with AppRole 639 640It probably makes better sense to create **AppRole** periodic tokens since we 641are talking about long-running apps that need to be able to renew their token 642indefinitely. 643 644-> For more details about AppRole, read the [AppRole Pull 645Authentication](/guides/identity/authentication.html) guide. 646 647To create AppRole periodic tokens, create your AppRole role with 648`period` specified. 649 650**Example:** 651 652```plaintext 653$ vault write auth/approle/role/jenkins policies="jenkins" period="72h" 654``` 655 656Or 657 658```shell 659# Sample request payload 660$ tee payload.json <<EOF 661{ 662 "allowed_policies": [ 663 "jenkins" 664 ], 665 "period": "72h" 666} 667EOF 668 669# Create a role named 'jenkins' 670$ curl --header "X-Vault-Token:..." --request POST \ 671 --data @payload.json \ 672 http://127.0.0.1:8200/v1/auth/approle/role/jenkins 673``` 674 675 676 677### <a name="step5"></a>Step 5: Orphan tokens 678 679Orphan tokens are **not** children of their parent; therefore, orphan tokens do 680not expire when their parent does. 681 682**NOTE:** Orphan tokens still expire when their own max TTL is reached. 683 684#### CLI command 685 686The following CLI command requires **root** token or **sudo** capability on the 687`auth/token/create` path. 688 689```shell 690$ vault token create -orphan 691``` 692 693#### API call using cURL 694 695To create an orphan token, use the **`auth/token/create-orphan`** endpoint: 696 697```shell 698$ curl --header "X-Vault-Token:..." --request POST \ 699 http://127.0.0.1:8200/v1/auth/token/create-orphan | jq 700``` 701 702Also, you can create an orphan token using the **`auth/token/create`** endpoint with 703`no-parent` parameter set to true. 704 705```shell 706$ curl --header "X-Vault-Token:..." --request POST \ 707 --data '{ "no_parent": true }' \ 708 http://127.0.0.1:8200/v1/auth/token/create | jq 709``` 710 711!> **NOTE:** The **`auth/token/create`** endpoint requires **root** token or 712**sudo** capability to create an orphan token while 713**`auth/token/create-orphan`** endpoint does not. 714 715### <a name="step6"></a>Step 6: Revoke tokens and leases 716 717Revoking a token and all its children. 718 719#### CLI command 720 721To revoke a specific token: 722 723```shell 724$ vault token revoke <TOKEN> 725``` 726 727To revoke all leases under a specific path: 728 729```shell 730$ vault lease revoke -prefix <PATH> 731``` 732 733**Example:** 734 735```shell 736# Revoke a specific token 737$ vault token revoke eeaf890e-4b0f-a687-4190-c75b1d6d70bc 738 739# Revoke all leases for database auth method 740$ vault lease revoke -prefix database/creds 741 742# Revoke all tokens 743$ vault lease revoke -prefix auth/token/create 744 745# Revoke all tokens by accessor 746$ vault token revoke -accessor 2b2b5b83-7f22-fecd-03f0-4e25bf64da11 747``` 748 749#### API call using cURL 750 751To revoke a specific token, call `/auth/token/revoke` endpoint. If you want to revoke tokens/secrets under a specific path, call `/sys/leases/revoke-prefix/<PATH>`. 752 753 754**Example:** 755 756```shell 757# Revoke a specific token 758$ curl --header "X-Vault-Token:..." --request POST \ 759 --data '{ "token": "eeaf890e-4b0f-a687-4190-c75b1d6d70bc" }' \ 760 http://127.0.0.1:8200/v1/auth/token/revoke 761 762# Revoke all secrets for database auth method 763$ curl --header "X-Vault-Token:..." --request POST \ 764 http://127.0.0.1:8200/v1/sys/leases/revoke-prefix/database/creds 765 766# Revoke all tokens 767$ curl --header "X-Vault-Token:..." --request POST \ 768 http://127.0.0.1:8200/v1/sys/leases/revoke-prefix/auth/token/create 769 770# Revoke all tokens by accessor 771$ curl --header "X-Vault-Token: ..." --request POST \ 772 --data '{ "accessor": "2b2b5b83-7f22-fecd-03f0-4e25bf64da11" }' \ 773 http://127.0.0.1:8200/v1/auth/token/revoke-accessor 774``` 775 776 777## Advanced Features 778 779It is important to understand lease configuration to avoid having your 780secret leases expire earlier than you expected. 781 782#### 1. Determine the TTLs specific to the mount 783 784```shell 785$ vault secrets list 786 787Path Type Accessor Plugin Default TTL Max TTL Force No Cache Replication Behavior Seal Wrap Description 788cubbyhole/ cubbyhole cubbyhole_36021b8e n/a n/a n/a false local false per-token private secret storage 789database/ database database_e21b9b4f n/a system system false replicated false 790identity/ identity identity_035fe03b n/a n/a n/a false replicated false identity store 791pki/ pki pki_9ae09eb3 n/a system system false replicated false 792secret/ kv kv_2e59ba96 n/a system system false replicated false key/value secret storage 793ssh/ ssh ssh_ea06b9bb n/a system system false replicated false 794sys/ system system_f5b5ecac n/a n/a n/a false replicated false system endpoints used for control, policy and debugging 795transit/ transit transit_07fc2df9 n/a system system false replicated false 796``` 797 798Notice the **Default TTL** and **Max TTL** columns. 799 800#### 2. Tune the system TTLs 801 802Override the global defaults by specifying `default_lease_ttl` and 803`max_lease_ttl` to meet your requirements. 804 805**Example:** 806 807The following example assumes that you have a database secret engine configured. 808 809```shell 810$ vault write sys/mounts/database/tune default_lease_ttl="8640" 811``` 812 813Or 814 815```shell 816$ curl --header "X-Vault-Token:..." --request POST \ 817 --data '{ "max_lease_ttl": 129600}' \ 818 http://127.0.0.1:8200/v1/sys/mounts/database/tune 819``` 820 821 822 823#### 3. Check the role specific TTLs 824 825Depending on the auth method, there may be more specific TTLs configured (e.g. 826roles, groups, users) as you have done so in [Step 4](#step4). 827 828```shell 829$ vault read auth/token/roles/zabbix 830 831Key Value 832--- ----- 833allowed_policies [default] 834disallowed_policies [] 835explicit_max_ttl 0 836name zabbix 837orphan false 838path_suffix 839period 86400 840renewable true 841``` 842 843 844## Next steps 845 846Now that you have learned the lifecycle of tokens and leases, read the [AppRole Pull 847Authentication](/guides/identity/authentication.html) guide to learn how to generate 848tokens for apps or machines. 849