For the complete documentation index, see llms.txt. This page is also available as Markdown.

Token Lifetime Configuration

Learn about the default Identity Service token lifetime in PCD and how to change it for self-hosted deployments.

Overview

Private Cloud Director uses tokens issued by the Identity Service to authenticate all API requests and CLI commands. Every token has a finite lifetime. After a token expires, the user or service must re-authenticate to obtain a new token.

Understanding the default token lifetime and how to extend it is important for:

  • Long-running automation scripts or batch jobs that need a token valid for several hours.

  • Service accounts and application credentials used in pipelines.

  • Environments where re-authenticating frequently is disruptive.

In this guide, you will learn the default token lifetime and how to change it.

Token lifetime vs. session timeout

The token lifetime controls how long a token issued by the Identity Service remains valid. Browser session timeouts in the PCD UI are a separate setting and are not covered here.

Default Token Lifetime

The default token lifetime for Private Cloud Director is 24 hours (86,400 seconds). Tokens issued by the password or token authentication methods both use this default.

Change the Token Lifetime

The token lifetime is controlled by the expiration parameter in the Identity Service configuration.

Step 1: Identify the Identity Service Configuration

  1. Log in to a management plane node or connect to the management plane cluster.

  2. Locate the Identity Service configuration. In a typical Self-Hosted deployment, the configuration is managed as a Kubernetes ConfigMap or a mounted configuration file. Check with your Platform9 support contact or refer to your deployment's airctl configuration for the exact location.

Step 2: Update the Token Expiration Setting

  1. Edit the Identity Service configuration to set the expiration value under the [token] section of keystone.conf:

To change the lifetime to, for example, 48 hours (172,800 seconds):

  1. Save the configuration change.

Step 3: Apply the Change

  1. Restart the Identity Service pods to pick up the updated configuration:

  1. Wait for the rollout to complete:

Step 4: Verify the Change

  1. Obtain a new token using pcdctl:

  1. Inspect the token's expires_at field to confirm the new lifetime is in effect:

Note on existing tokens

Changing the expiration setting affects only tokens issued after the restart. Tokens already in circulation retain their original expiration time.

Security Considerations

Longer token lifetimes reduce the frequency of authentication but also extend the window during which a stolen token remains valid. Consider the following before increasing the lifetime:

  • Use application credentials with limited scope for automation instead of long-lived user tokens. See Application Credentials.

  • Rotate tokens programmatically in automation scripts rather than setting a very long lifetime.

  • If a token is compromised, you can revoke it immediately using pcdctl token revoke <token-id> or the Identity Service API — this works regardless of the configured expiration.

Next Steps

Last updated

Was this helpful?