--- layout: docs page_title: token renew - Command description: |- The "token renew" renews a token's lease, extending the amount of time it can be used. If a TOKEN is not provided, the locally authenticated token is used. Lease renewal will fail if the token is not renewable, the token has already been revoked, or if the token has already reached its maximum TTL. --- > [!IMPORTANT] > **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website. # token renew The `token renew` renews a token's lease, extending the amount of time it can be used. If a TOKEN is not provided, the locally authenticated token is used. Lease renewal will fail if the token is not renewable, the token has already been revoked, or if the token has already reached its maximum TTL. ## Examples Create a token first: ```shell-session $ vault token create Key Value --- ----- token hvs.CAESIJk8P_ieg60yf9c92rl0S5j1mdMh7docAoHVS2q7UQ8bGh4KHGh2cy5uQ3dNQUhvbnFhTWl5cVJpMGxpVDhMZWU token_accessor ntL634hzE0CtQnyCIqkxSa82 token_duration 768h token_renewable true token_policies [default] ``` Renew a token using the token value and the `/auth/token/renew` endpoint: ```shell-session $ vault token renew hvs.CAESIJk8P_ieg6Oyf9c92rl0S5j1mdMh7docAoHVS2q7UQ8bGh4KHGh2cy5uQ3dNQUhvbnFhTWl5cVJpMGxpVDhMZWU Key Value --- ----- token n/a token_accessor ntL634hzE0CtQnyCIqkxSa82 token_duration 768h token_renewable true token_policies [default] ``` Alternatively, renew a token using its accessor value. Renewing with the accessor vault is is useful when you do not have the actual token: ```shell-session $ vault token renew -accessor ntL634hzE0CtQnyCIqkxSa82 Key Value --- ----- token n/a token_accessor ntL634hzE0CtQnyCIqkxSa82 token_duration 768h token_renewable true token_policies [default] ``` Renew the currently authenticated token (this uses the `/auth/token/renew-self` endpoint and permission): ```shell-session $ vault token renew ``` Renew a token requesting a specific increment value: ```shell-session $ vault token renew -increment=30m hvs.CAESIJk8P_ieg6Oyf9c92rl0S5j1mdMh7docAoHVS2q7UQ8bGh4KHGh2cy5uQ3dNQUhvbnFhTWl5cVJpMGxpVDhMZWU ``` Fail if the requested TTL increment cannot be fully fulfilled: ```shell-session $ vault token renew -increment=30m hvs.CAESIJk8P_ieg6Oyf9c92rl0S5j1mdMh7docAoHVS2q7UQ8bGh4KHGh2cy5uQ3dNQUhvbnFhTWl5cVJpMGxpVDhMZWU --fail-if-not-fulfilled || vault login ``` You can renew tokens using the token itself or the associated accessor. The `token_accessor` parameter lets you perform limited operations (like renewal) without requiring sensitive data so you can manage tokens without handling the secret token itself. ## Usage The following flags are available in addition to the [standard set of flags](/vault/docs/commands) included on all commands. ### Output options - `-format` `(default: "table")` - Print the output in the given format. Valid formats are "table", "json", or "yaml". This can also be specified via the `VAULT_FORMAT` environment variable. ### Command options - `-increment` `(duration: "")` - Request a specific increment for renewal. Vault will not honor this request for periodic tokens. If not supplied, Vault will use the default TTL. This is specified as a numeric string with suffix like "30s" or "5m". This is aliased as "-i". - `-accessor` `(bool: false)` - Treat the argument as an accessor instead of a token. When this option is selected, the output will NOT include the token. - `--fail-if-not-fulfilled` - Fail if the requested TTL increment cannot be fully fulfilled. Vault allows command chaining and token renewal request completion with capped duration even if renew request fails.