> For the complete documentation index, see [llms.txt](https://docs.platform9.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.platform9.com/private-cloud-director/identity-and-multi-tenancy/token-lifetime.md).

# Token Lifetime Configuration

## Overview

<code class="expression">space.vars.product\_name</code> uses tokens issued by the Identity Service to authenticate all API requests and CLI commands. Every token has a finite lifetime. After a token expires, the user or service must re-authenticate to obtain a new token.

Understanding the default token lifetime and how to extend it is important for:

* Long-running automation scripts or batch jobs that need a token valid for several hours.
* Service accounts and application credentials used in pipelines.
* Environments where re-authenticating frequently is disruptive.

In this guide, you will learn the default token lifetime and how to change it.

{% hint style="info" %}
**Token lifetime vs. session timeout**

The token lifetime controls how long a token issued by the Identity Service remains valid. Browser session timeouts in the <code class="expression">space.vars.product\_acronym</code> UI are a separate setting and are not covered here.
{% endhint %}

## Default Token Lifetime

The default token lifetime for <code class="expression">space.vars.product\_name</code> is **24 hours** (86,400 seconds). Tokens issued by the `password` or `token` authentication methods both use this default.

## Change the Token Lifetime

{% hint style="warning" %}
**Self-Hosted deployments only**

The following steps require access to the management plane configuration. These steps apply only to Self-Hosted <code class="expression">space.vars.product\_name</code> deployments where you operate the management plane directly.

**SaaS customers:** you cannot change the token lifetime yourself. Contact Platform9 Support to request a token lifetime adjustment for your environment.
{% endhint %}

The token lifetime is controlled by the `expiration` parameter in the Identity Service configuration.

### Step 1: Identify the Identity Service Configuration

1. Log in to a management plane node or connect to the management plane cluster.
2. Locate the Identity Service configuration. In a typical Self-Hosted deployment, the configuration is managed as a Kubernetes ConfigMap or a mounted configuration file. Check with your Platform9 support contact or refer to your deployment's airctl configuration for the exact location.

### Step 2: Update the Token Expiration Setting

1. Edit the Identity Service configuration to set the `expiration` value under the `[token]` section of `keystone.conf`:

```ini
[token]
expiration = 86400
```

To change the lifetime to, for example, 48 hours (172,800 seconds):

```ini
[token]
expiration = 172800
```

2. Save the configuration change.

### Step 3: Apply the Change

1. Restart the Identity Service pods to pick up the updated configuration:

```bash
kubectl rollout restart deployment keystone -n platform9
```

2. Wait for the rollout to complete:

```bash
kubectl rollout status deployment keystone -n platform9
```

### Step 4: Verify the Change

1. Obtain a new token using `pcdctl`:

```bash
pcdctl token issue --os-username <username> --os-password <password> \
  --os-user-domain-name Default --os-project-name <tenant-name> \
  --os-auth-url https://<FQDN>/keystone/v3
```

2. Inspect the token's `expires_at` field to confirm the new lifetime is in effect:

```bash
pcdctl token show <token-id>
```

{% hint style="info" %}
**Note on existing tokens**

Changing the `expiration` setting affects only tokens issued **after** the restart. Tokens already in circulation retain their original expiration time.
{% endhint %}

## Security Considerations

Longer token lifetimes reduce the frequency of authentication but also extend the window during which a stolen token remains valid. Consider the following before increasing the lifetime:

* Use application credentials with limited scope for automation instead of long-lived user tokens. See [Application Credentials](/private-cloud-director/identity-and-multi-tenancy/application-credentials.md).
* Rotate tokens programmatically in automation scripts rather than setting a very long lifetime.
* If a token is compromised, you can revoke it immediately using `pcdctl token revoke <token-id>` or the Identity Service API — this works regardless of the configured expiration.

## Next Steps

* To create scoped credentials for automation use cases, see [Application Credentials](/private-cloud-director/identity-and-multi-tenancy/application-credentials.md).
* To understand role-based access control, see [RBAC Roles and Permissions](/private-cloud-director/identity-and-multi-tenancy/rbac-roles-and-permissions.md).


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.platform9.com/private-cloud-director/identity-and-multi-tenancy/token-lifetime.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.