rekor tokens

Manage API tokens

Subcommands

rekor tokens create

Create a scoped API token

  • --name <name> — Token name
  • --grants <json> — Grant definitions as JSON array

rekor tokens create-for-toolset <slug>

Create a toolset-bound (consumer) token whose authorization IS the toolset tool surface — it can call exactly the tools that toolset exposes (those record_types + operations, relationships, batch, and sql only if enabled) and nothing else. Binds to the configured --base.

  • --name <name> — Token name (default: "<slug> consumer")

rekor tokens list

List API tokens (status, last_used_at, expires_at, description)

rekor tokens revoke <token_id>

Revoke an API token (permanent). A recently-used or toolset-bound token requires --force.

  • --force — Revoke even if the token appears to be in live use

rekor tokens prune

Revoke stale tokens, selected by staleness only (expired, or unused past --unused-since) — never by name. Previews by default; revoking requires --yes or an interactive confirmation.

  • --unused-since <duration> — Also prune tokens with no activity for this long (e.g. 30d). Skips toolset-bound and legacy usage-untracked tokens.
  • --include-bound — Allow pruning stale toolset-bound (consumer) tokens
  • -y, --yes — Revoke without prompting (required when non-interactive)
tokens — Rekor