Manage authentication tokens#
Authentication tokens are valid for 24 hours by default. The expiration time stamp is included in the token object returned in the authentication response. Administrators and users can invalidate a token immediately by submitting a Revoke token API request to the Identity service endpoint.
If you re-authenticate before the token expires, the Identity service returns a new token.
When a token expires or becomes invalid, any API request submitted against Rackspace Cloud services returns a 401 error message. To regain access, submit another POST tokens request to the authentication endpoint.
When you authenticate to the Identity service ensure that you cache the token value that is returned.
The Identity service validates the authentication in every API request before attempting to complete the operation. To optimize your API operations and reduce system load, store the authentication token in a secure cache or database so that applications can use the stored value instead of requiring the application to issue an authentication request before each API operation. You can re-use the cached token value as long as it remains valid.
For an example of how to cache credentials with an SDK, see Caching credentials in the php-opencloud documentation.
Design applications to re-authenticate after receiving a 401 Unauthorized response from a service endpoint, or use either of the following methods to check the token expiration and reauthenticate before the token expires.
- Submit a POST tokens request within an hour of the token expiration to obtain a new token. Note that this behavior is a Rackspace customization of the OpenStack Identity (keystone) implementation.
- Submit a DELETE token request to revoke the existing token, and then submit another POST tokens request to get a new token.
To simplify authentication, credential, and token management, use an OpenStack command-line client application.