Token Lifetime Configuration

Learn about the default Identity Service token lifetime in PCD and how to change it for self-hosted deployments.

Overview

Private Cloud Director uses tokens issued by the Identity Service to authenticate all API requests and CLI commands. Every token has a finite lifetime. After a token expires, the user or service must re-authenticate to obtain a new token.

Understanding the default token lifetime and how to extend it is important for:

Long-running automation scripts or batch jobs that need a token valid for several hours.
Service accounts and application credentials used in pipelines.
Environments where re-authenticating frequently is disruptive.

In this guide, you will learn the default token lifetime and how to change it.

Token lifetime vs. session timeout

The token lifetime controls how long a token issued by the Identity Service remains valid. Browser session timeouts in the PCD UI are a separate setting and are not covered here.

Default Token Lifetime

The default token lifetime for Private Cloud Director is 24 hours (86,400 seconds). Tokens issued by the password or token authentication methods both use this default.

Change the Token Lifetime

Self-Hosted deployments only

The following steps require access to the management plane configuration. These steps apply only to Self-Hosted Private Cloud Director deployments where you operate the management plane directly.

SaaS customers: you cannot change the token lifetime yourself. Contact Platform9 Support to request a token lifetime adjustment for your environment.

The token lifetime is controlled by the expiration parameter in the Identity Service configuration.

Step 1: Identify the Identity Service Configuration

Log in to a management plane node or connect to the management plane cluster.
Locate the Identity Service configuration. In a typical Self-Hosted deployment, the configuration is managed as a Kubernetes ConfigMap or a mounted configuration file. Check with your Platform9 support contact or refer to your deployment's airctl configuration for the exact location.

Step 2: Update the Token Expiration Setting

Edit the Identity Service configuration to set the expiration value under the [token] section of keystone.conf:

[token]
expiration = 86400

To change the lifetime to, for example, 48 hours (172,800 seconds):

[token]
expiration = 172800

Save the configuration change.

Step 3: Apply the Change

Restart the Identity Service pods to pick up the updated configuration:

kubectl rollout restart deployment keystone -n platform9

Wait for the rollout to complete:

kubectl rollout status deployment keystone -n platform9

Step 4: Verify the Change

Obtain a new token using pcdctl:

pcdctl token issue --os-username <username> --os-password <password> \
  --os-user-domain-name Default --os-project-name <tenant-name> \
  --os-auth-url https://<FQDN>/keystone/v3

Inspect the token's expires_at field to confirm the new lifetime is in effect:

pcdctl token show <token-id>

Note on existing tokens

Changing the expiration setting affects only tokens issued after the restart. Tokens already in circulation retain their original expiration time.

Security Considerations

Longer token lifetimes reduce the frequency of authentication but also extend the window during which a stolen token remains valid. Consider the following before increasing the lifetime:

Use application credentials with limited scope for automation instead of long-lived user tokens. See Application Credentials.
Rotate tokens programmatically in automation scripts rather than setting a very long lifetime.
If a token is compromised, you can revoke it immediately using pcdctl token revoke <token-id> or the Identity Service API — this works regardless of the configured expiration.

Next Steps

To create scoped credentials for automation use cases, see Application Credentials.
To understand role-based access control, see RBAC Roles and Permissions.

PreviousApplication Credentials NextTenant Lifecycle: Rename and Delete

Last updated 12 days ago

Was this helpful?