Create Access Tokens With JFrog CLI
Create an access token. By default, you get a user-scoped token. Administrators can provide scope with --scope, or implicitly with --groups or --grant-admin.
Prerequisites
- Access token authentication required. Your JFrog server must be configured with an access token. Username and password authentication is not supported for this command. The JFrog CLI returns an error if you attempt to use it with a username and password-configured server. To reconfigure, run
jf config addand provide an access token instead of a password.
Synopsis
jf access-token-create [<username>] [options]Aliases: jf atc
Arguments
The following table describes command arguments.
| Argument | Required | Description |
|---|---|---|
<username> | No | Username for which the token is created. Omit to create for the current user |
Options
The following table describes command options.
| Flag | Short | Default | Description |
|---|---|---|---|
--url | — | — | JFrog Platform URL |
--user | — | — | JFrog username |
--password | — | — | JFrog password |
--access-token | — | — | JFrog access token for authentication |
--server-id | — | — | Server ID from jf config |
--ssh-key-path | — | — | SSH key file path for authentication |
--ssh-passphrase | — | — | SSH key passphrase |
--client-cert-path | — | — | Client certificate file in PEM format (for mutual TLS authentication) |
--client-cert-key-path | — | — | Private key file for the client certificate in PEM format |
--project | — | — | JFrog project key |
--grant-admin | — | false | Grant admin privileges (administrators only) |
--groups | — | — | Comma-separated list of groups (administrators only) |
--scope | — | — | Token scope (administrators only) |
--expiry | — | platform default | Token expiry in seconds. Use 0 for a non-expiring token (admin only). Non-admin users cannot exceed the platform default (1 year by default). |
--refreshable | — | false | Create a refreshable token |
--description | — | — | Free-text token description (max 1024 characters) |
--audience | — | — | Space-separated list of Service-IDs that accept this token |
--reference | — | false | Generate a Reference Token in addition to the full access token. Both tokens are returned. Reference tokens are stored in the platform database and can be individually revoked. (JFrog Artifactory 7.38.10+) |
--format | — | json | Output format. Available from JFrog CLI 2.105.0. Accepts json or table. Defaults to json for backward compatibility. In table output the access_token value is truncated to 40 characters. Passing --format alone returns Incorrect Usage: flag needs an argument: -format; passing an unsupported value (for example, --format=yaml) returns [🚨Error] only the following output formats are supported: json, table. |
Examples
Create a Token for the Current User
To create an access token for the current user:
-
Ensure a JFrog server is configured, or plan to pass
--urland--access-token(see the prerequisite at the start of this topic). -
Run:
jf access-token-createOr using the alias:
jf atc
The command creates a token for the authenticated user. You must have a configured server or pass --url and --access-token.
On success, the JFrog CLI prints the response in the format set by --format. The access_token field contains the token value. Copy it immediately, as it is displayed only once.
--format json (default):
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9...",
"token_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"expires_in": 3600,
"scope": "applied-permissions/user",
"token_type": "Bearer",
"refreshable": false,
"refresh_token": "",
"reference_token": "",
"grant_type": "client_credentials",
"audience": "jfrt@*"
}--format table (the access_token is truncated to 40 characters to avoid flooding the terminal):
FIELD VALUE
access_token eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9...
token_id a1b2c3d4-e5f6-7890-abcd-ef1234567890
expires_in 3600
scope applied-permissions/user
token_type Bearer
refreshable false
grant_type client_credentials
audience jfrt@*Create a Token for a Specific User
To create an access token for another user (administrators):
-
Run one of the following:
jf access-token-create <username> --server-id=<server-id>Where:
<username>: Target JFrog username for the new token.<server-id>: Server ID from yourjf configconfiguration.
For example:
jf access-token-create jdoe --server-id=my-server -
Alternatively, pass credentials inline:
jf access-token-create <username> --url=<JFrogPlatformURL> --access-token=<Token>Where:
<username>: Target JFrog username for the new token.<JFrogPlatformURL>: Base URL of your JFrog Platform deployment.<Token>: Valid access token for an administrator (use a real token. Do not commit it).
For example:
jf access-token-create jdoe --url=https://acme.jfrog.io --access-token=<Token>
Administrators create tokens for other users by specifying the username and credentials.
Create a Refreshable Token
To create a refreshable access token:
-
Run:
jf access-token-create --refreshable --expiry=<seconds>Where:
<seconds>: Token lifetime in seconds before expiry (for example,3600).
For example:
jf atc --refreshable --expiry=3600
The token is refreshable, and a refresh token is returned for renewing it when it expires. On success:
{
"access_token": "eyJ...",
"refresh_token": "eyJ...",
"expires_in": 3600,
"scope": "applied-permissions/user",
"token_type": "Bearer"
}Use the refresh_token value to obtain a new access token before the original expires.
Important Notes
- Default scope. Without
--scope,--groups, or--grant-admin, the token has the same permissions as the creating user. - Expiry. If you don't set
--expiry, the platform's default token expiry applies (typically 1 year). Non-admin users cannot set an expiry greater than the platform default. Use--expiry=0for a never-expiring token. This requires admin privileges. - Reference tokens. Use
--referenceto create a reference token alongside the full access token. Both are returned in the response. Reference tokens are stored in the platform database and can be revoked individually. (JFrog Artifactory 7.38.10+) - Refreshable tokens. Use
--refreshableto get a refresh token alongside the access token. This helps long-running CI/CD pipelines that may outlive the token's expiry. - Admin-only flags.
--grant-admin,--groups, and--scoperequire admin privileges. Non-admin users can only create tokens for themselves. - Security. Tokens are displayed only once at creation time. Store them securely. If lost, create a new token.