configure web authentication tokenNEW!

configure web authentication token default-ttl seconds

Description

Configures the default time-to-live (TTL) for web authentication tokens.

Syntax Description


`seconds`	Validity time of token in seconds (60-86,400). Default is 86,400.

Default

The default token TTL is 86,400 seconds (24 hours).

Usage Guidelines

Use this command to configure the default validity period for authentication tokens issued by the web interface. Authentication tokens are generated via API calls to the /auth/token endpoint and used for subsequent API requests via the x-auth-token header.

Token Authentication:

The web interface supports two authentication mechanisms:

Basic authentication - Username and password passed with each request
Token authentication - Token generated once and reused for multiple requests during its validity period

Token authentication is particularly useful for automation tools and scripts that make multiple API calls, as it reduces the overhead of authenticating each request.

Default TTL Behavior:

The configured default TTL applies when the API request for token generation does not include a TTL property. If the API request specifies a TTL value in the request body, that value takes precedence over the configured default.

Use Cases:

Short-lived tokens (60-3600 seconds): Appropriate for automation tools like Ansible modules that execute brief tasks. Shorter token lifetimes reduce the risk window if a token is compromised.
Standard tokens (3600-86400 seconds): Suitable for interactive sessions or longer-running automation tasks requiring extended token validity.

Configuration Persistence:

The token TTL configuration persists across reboots and can be viewed in show configuration thttpd and show switch management outputs.

Security Considerations:

Shorter token lifetimes enhance security by limiting the time window during which a compromised token can be used. Balance security requirements against the operational needs of your automation workflows when selecting a TTL value.

Example

Configure a 1-minute (60 seconds) token TTL for short-lived automation tasks:

configure web authentication token default-ttl 60

Configure a 1-hour (3600 seconds) token TTL:

configure web authentication token default-ttl 3600

View the configured token TTL in the configuration:

show configuration thttpd

Sample output:

#
# Module thttpd configuration.
#
enable web http
enable web https
configure ssl certificate hash-algorithm sha512
configure web authentication token default-ttl 60

View the token TTL in switch management information:

show switch management

Sample output excerpt:

Web access                       : Enabled (tcp port 80)
                                 : Access Profile : not set
                                 : Auth token default TTL: 60 seconds

Generate a token using the API:

curl --request POST \
  --url http://<switch-ip>/auth/token \
  --header 'content-type: application/json' \
  --data '{
  "username": "admin",
  "password": ""
}'

Sample response showing the configured TTL:

{
  "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
  "ttl": 60
}

Use the token in subsequent API requests:

curl --request GET \
  --url 'http://<switch-ip>/rest/openapi/v0/state/slpp' \
  --header 'x-auth-token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...'

History

This command was first available in version 33.6.1.

Platform Availability

This command is available on ExtremeSwitching X435, X440-G2, X450-G2, X460-G2, X465, and X695 series switches.