Access Tokens
Access tokens are objects that facilitate machine account access to, and the ability to decrypt, edit, and create secrets stored in Secrets Manager. Access tokens are issued to a particular machine account, and will give any machine they're applied to the ability to access only the secrets associated with that machine account.
Access tokens are never stored in Bitwarden databases and cannot be retrieved, so take care to store your access tokens somewhere safe when you generate them. To create an access token:
Select Machine accounts from the navigation.
Select the machine account to create an access token for, and open the Access tokens tab:
Select the Create access token button.
On the Create Access Token window, provide:
A Name for the token.
When the token Expires. By default, Never.
Select the Create access token button when you're finished configuring the token.
A window will appear printing your access token to the screen. Save your token somewhere safe before closing this window, as your token will not be stored and cannot be retrieved later:
This access token is the authentication vehicle through which you'll be able to script secret injection and editing by your machines and applications.
Access tokens are used for authentication by the Secrets Manager CLI. Once you've created your access token and saved its value somewhere safe, use it to authenticate secret retrieval commands by the CLI for injection into your applications or infrastructure. This could be:
Exporting the access token to a
BWS_ACCESS_TOKEN
environment variable on the host machine. CLI commands like the following will automatically check for a variable with that key for authentication:Bashbws project get e325ea69-a3ab-4dff-836f-b02e013fe530
Using the
-access-token
option inline a script written toget
and inject secrets, for example something that includes the lines:Bash... export DB_PW=$(bws secret get fc3a93f4-2a16-445b-b0c4-aeaf0102f0ff --access-token 0.48c78342-1635-48a6-accd-afbe01336365.C0tMmQqHnAp1h0gL8bngprlPOYutt0:B3h5D+YgLvFiQhWkIq6Bow== | .jq '.value') ... docker run -d database ... -env DB_PW=$DB_PW ... mysql:latest
Using our dedicated GitHub Actions integration to save the access token as a repository secret for use in your workflow files.
At any time, you can revoke an access token. Revoking a token will break the ability of any machines currently using it to retrieve and decrypt secrets. To revoke a token:
Select Machine accounts from the navigation, and open the Access tokens tab.
For the access token you want to revoke, use the (
) options menu to select Revoke access token:
Suggest changes to this page
How can we improve this page for you?
For technical, billing, and product questions, please contact support