vault/website/content/docs/commands/token/renew.mdx

---
layout: docs
page_title: token renew - Command
description: |-
  The "token renew" renews a token's lease, extending the amount of time it can
  be used. If a TOKEN is not provided, the locally authenticated token is used.
  Lease renewal will fail if the token is not renewable, the token has already
  been revoked, or if the token has already reached its maximum TTL.
---

# token renew

The `token renew` renews a token's lease, extending the amount of time it can be
used. If a TOKEN is not provided, the locally authenticated token is used. Lease
renewal will fail if the token is not renewable, the token has already been
revoked, or if the token has already reached its maximum TTL.

## Examples

Create a token first:

```shell-session
$ vault token create
Key                Value
---                -----
token              hvs.CAESIJk8P_ieg60yf9c92rl0S5j1mdMh7docAoHVS2q7UQ8bGh4KHGh2cy5uQ3dNQUhvbnFhTWl5cVJpMGxpVDhMZWU
token_accessor     ntL634hzE0CtQnyCIqkxSa82
token_duration     768h
token_renewable    true
token_policies     [default]
```

Renew a token using the token value and the `/auth/token/renew` endpoint:

```shell-session
$ vault token renew hvs.CAESIJk8P_ieg6Oyf9c92rl0S5j1mdMh7docAoHVS2q7UQ8bGh4KHGh2cy5uQ3dNQUhvbnFhTWl5cVJpMGxpVDhMZWU
Key                Value
---                -----
token              n/a
token_accessor     ntL634hzE0CtQnyCIqkxSa82
token_duration     768h
token_renewable    true
token_policies     [default]
```

Alternatively, renew a token using its accessor value. Renewing with the
 accessor vault is is useful when you do not have the actual token:

```shell-session
$ vault token renew -accessor ntL634hzE0CtQnyCIqkxSa82
Key                Value
---                -----
token              n/a
token_accessor     ntL634hzE0CtQnyCIqkxSa82
token_duration     768h
token_renewable    true
token_policies     [default]
```

Renew the currently authenticated token (this uses the `/auth/token/renew-self`
endpoint and permission):

```shell-session
$ vault token renew
```

Renew a token requesting a specific increment value:

```shell-session
$ vault token renew -increment=30m hvs.CAESIJk8P_ieg6Oyf9c92rl0S5j1mdMh7docAoHVS2q7UQ8bGh4KHGh2cy5uQ3dNQUhvbnFhTWl5cVJpMGxpVDhMZWU
```

Fail if the requested TTL increment cannot be fully fulfilled:

```shell-session
$ vault token renew -increment=30m hvs.CAESIJk8P_ieg6Oyf9c92rl0S5j1mdMh7docAoHVS2q7UQ8bGh4KHGh2cy5uQ3dNQUhvbnFhTWl5cVJpMGxpVDhMZWU --fail-if-not-fulfilled || vault login
```

You can renew tokens using the token itself or the associated accessor.
The `token_accessor` parameter lets you perform limited operations (like
renewal) without requiring sensitive data so you can manage  tokens
without handling the secret token itself.

## Usage

The following flags are available in addition to the [standard set of
flags](/vault/docs/commands) included on all commands.

### Output options

- `-format` `(default: "table")` - Print the output in the given format. Valid
  formats are "table", "json", or "yaml". This can also be specified via the
  `VAULT_FORMAT` environment variable.

### Command options

- `-increment` `(duration: "")` - Request a specific increment for renewal.
  Vault will not honor this request for periodic tokens. If not supplied, Vault will use
  the default TTL. This is specified as a numeric string with suffix like "30s"
  or "5m". This is aliased as "-i".

- `-accessor` `(bool: false)` - Treat the argument as an accessor instead of a
token. When this option is selected, the output will NOT include the token.

- `--fail-if-not-fulfilled` - Fail if the requested TTL increment cannot be
fully fulfilled. Vault allows command chaining and token renewal request
completion with capped duration even if renew request fails.