Difficulty: beginner
Estimated Time: 10 minutes


NOTE: Batch tokens are Vault 1.0 feature which is currently in Beta.


Tokens are the core method for authentication within Vault. Tokens can be used directly or dynamically generated by the auth methods. Regardless, the clients need valid tokens to interact with Vault.

There are two types of tokens: service tokens and batch tokens. The service tokens are persisted; therefore, they can be renewed or revoked before reaching its time-to-live (TTL). On the other hand, batch tokens are not persisted. They are encrypted binary large objects (blobs) that carry enough information for them to be used for Vault actions. Therefore, batch tokens are extremely lightweight and scalable; however, they lack most of the flexibility and features of service tokens.

Service Tokens vs. Batch Tokens

As the number of machines and apps using Vault for secret management scales, Vault must manage the growing number of client tokens. The creation of service tokens can start affecting the Vault performance since they must be replicated across the primary and secondary clusters. On the other hand, batch tokens are neither persisted to disk nor live in memory, they are not a part of the data replication process.

Depending on the use case and the performance requirements, the batch tokens might work better than the service tokens or vice versa.

This tutorial focuses on the batch tokens. To learn more about service tokens, try Vault Token Lifecycle scenario.

This scenario demonstrated the sharacteristics of batch tokens introduced in Vault 1.0 (currently in Beta).


Don’t stop now! The next scenario will only take about 10 minutes to complete.

[Vault 1.0 Beta] Batch Tokens

Step 1 of 5

Getting Started

Enter the following command to start the Vault server in development mode.

Click on the command () will automatically copy it into the terminal and execute it.

vault server -dev -dev-root-token-id="root"

Scroll up the Terminal to locate the following output:

==> Vault server configuration:

             Api Address:
                     Cgo: disabled
         Cluster Address:
              Listener 1: tcp (addr: "", cluster address: "", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level: (not set)
                   Mlock: supported: false, enabled: false
                 Storage: inmem
                 Version: Vault v1.0.0-beta1
             Version Sha: ebc733f4ca5d362fdfb302ac75953228585c54a2

WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.

When Vault is running in development mode, it runs entirely in-memory that the data does not get persisted. This build-in, pre-configured server is useful for local development, testing and exploration.

Login with root token

Click the + next to the opened Terminal, and select Open New Terminal.

New Terminal

In the Terminal 2, set the VAULT_ADDR environment variable:

export VAULT_ADDR=''

Login with the generated root token.

vault login root

Now, you are logged in as a root and ready to play!