[role="xpack"] [[security-api-tokens]] === Token Management APIs The `token` API enables you to create and invalidate bearer tokens for access without requiring basic authentication. ==== Request `POST /_xpack/security/oauth2/token` + `DELETE /_xpack/security/oauth2/token` ==== Description The Get Token API takes the same parameters as a typical OAuth 2.0 token API except for the use of a JSON request body. A successful Get Token API call returns a JSON structure that contains the access token, the amount of time (seconds) that the token expires in, the type, and the scope if available. The tokens returned by the Get Token API have a finite period of time for which they are valid and after that time period, they can no longer be used. However, if you want to invalidate a token immediately, you can do so by using the Delete Token API. ==== Request Body The following parameters can be specified in the body of a POST request and pertain to creating a token: `grant_type`:: (string) The type of grant. Currently only the `password` grant type is supported. `password` (required):: (string) The user's password. `scope`:: (string) The scope of the token. Currently tokens are only issued for a scope of `FULL` regardless of the value sent with the request. `username` (required):: (string) The username that identifies the user. The following parameters can be specified in the body of a DELETE request and pertain to deleting a token: `token`:: (string) An access token. ==== Examples [[security-api-get-token]] To obtain a token, submit a POST request to the `/_xpack/security/oauth2/token` endpoint. [source,js] -------------------------------------------------- POST /_xpack/security/oauth2/token { "grant_type" : "password", "username" : "test_admin", "password" : "x-pack-test-password" } -------------------------------------------------- // CONSOLE The following example output contains the access token, the amount of time (in seconds) that the token expires in, and the type: [source,js] -------------------------------------------------- { "access_token" : "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==", "type" : "Bearer", "expires_in" : 1200 } -------------------------------------------------- // TESTRESPONSE[s/dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==/$body.access_token/] The token returned by this API can be used by sending a request with a `Authorization` header with a value having the prefix `Bearer ` followed by the value of the `access_token`. [source,shell] -------------------------------------------------- curl -H "Authorization: Bearer dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==" http://localhost:9200/_cluster/health -------------------------------------------------- [[security-api-invalidate-token]] If a token must be invalidated immediately, you can do so by submitting a DELETE request to `/_xpack/security/oauth2/token`. For example: [source,js] -------------------------------------------------- DELETE /_xpack/security/oauth2/token { "token" : "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==" } -------------------------------------------------- // CONSOLE // TEST[s/dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==/$body.access_token/] // TEST[continued] A successful call returns a JSON structure that indicates whether the token has already been invalidated. [source,js] -------------------------------------------------- { "created" : true <1> } -------------------------------------------------- // TESTRESPONSE <1> When a token has already been invalidated, `created` is set to false.