Skip to main content

Rotate DAS API Tokens

This guide describes how to automate rotation of the token used by automation to authenticate with DAS.


The following prerequisites are required to rotate the token used by OPAs:

  • Administrator access to DAS

Setup a Refresh Token and Initial Application Token

First, you need to create a refresh token. Refresh tokens are used to rotate other tokens and that is the only access rights they have. To do this follow the guide to create a DAS token and when assigning the token a role, use the WorkspaceTokenRefresher role. This role is limited in scope so that the only operation it allows is to update tokens. If the application token belongs to a system, then you will need to use the SystemTokenRefresher role instead.

After this, you will also need to create an application token, and assign it an appropriate role. Throughout the remainder of this page, this token will be referred to as the application token, and its id is assumed to be application-token. The application token should be given a limited time-to-live (TTL), such as 24 hours, depending on how frequently you would like to rotate tokens.

Rotating the Application Token

Next, update your automation to rotate the application token. You will use the refresh token to renew the application token, so the refresh token should be stored so that your automation can access it securely.

The application token is configured with a TTL and once it expires, all DAS APIs return a 401 status code. Receiving a 401 status code is the signal that the token is expired and must be updated before it can be used again.

Once a response with a 401 status code is received, the following is an example of using curl to renew the application token, where $refresh_token is the secret value of the refresh token:

curl -H "Authorization: Bearer $refresh_token" -X PUT -d '{"regenerate": true, "ttl": "24h"}'

Rotating the Refresh Token

You may also use the refresh token to rotate itself. Currently, it is not possible to limit the number of times a token may be used; however, you can set the refresh token up with a limited TTL, and then use it to rotate itself before the TTL expires. Note that if configured in this manner, you must rotate the refresh token before its TTL expires or it will be unusable and not able to rotate itself or any other tokens. Once you have regenerated the refresh token, the previous secret value is no longer useable, and you must write the new secret value to persistent storage so that its value is not lost.