Create access tokens with the JFrog CLI

Create an access token. By default, you get a user-scoped token. Administrators can provide scope with --scope, or implicitly with --groups or --grant-admin.

📘
Prerequisite
A JFrog server must be configured with jf config add, or you must pass --url together with --access-token (or --user/--password) on every command. See Configuring the CLI.

Prerequisites

Access token authentication required: Your JFrog server must be configured with an access token. Username/password authentication is not supported for this command — the CLI will return an error if you attempt to use it with a username/password-configured server. To reconfigure, run jf config add and provide an access token instead of a password.

Synopsis

jf access-token-create [<username>] [options]

Aliases: jf atc

Arguments

Argument	Required	Description
`<username>`	No	Username for which the token is created. Omit to create for the current user

Options

Flag	Short	Default	Description
`--url`	—	—	JFrog Platform URL
`--user`	—	—	JFrog username
`--password`	—	—	JFrog password
`--access-token`	—	—	JFrog access token for authentication
`--server-id`	—	—	Server ID from `jf config`
`--ssh-key-path`	—	—	SSH key file path for authentication
`--ssh-passphrase`	—	—	SSH key passphrase
`--client-cert-path`	—	—	Client certificate file in PEM format (for mTLS authentication)
`--client-cert-key-path`	—	—	Private key file for the client certificate in PEM format
`--project`	—	—	JFrog project key
`--grant-admin`	—	`false`	Grant admin privileges (administrators only)
`--groups`	—	—	Comma-separated list of groups (administrators only)
`--scope`	—	—	Token scope (administrators only)
`--expiry`	—	platform default	Token expiry in seconds. Use `0` for a non-expiring token (admin only). Non-admin users cannot exceed the platform default (1 year by default).
`--refreshable`	—	`false`	Create a refreshable token
`--description`	—	—	Free-text token description (max 1024 characters)
`--audience`	—	—	Space-separated list of Service-IDs that accept this token
`--reference`	—	`false`	Generate a Reference Token in addition to the full access token. Both tokens are returned. Reference tokens are stored in the platform database and can be individually revoked. (Artifactory 7.38.10+)

Examples

Create a Token for the Current User

To create an access token for the current user:

Ensure a JFrog server is configured, or plan to pass --url and --access-token (see Prerequisite).
Run:
```
jf access-token-create
```
Or using the alias:
```
jf atc
```

The command creates a token for the authenticated user. You must have a configured server or pass --url and --access-token.

On success, the CLI prints a JSON response. The access_token field contains the token value — copy it immediately, as it is displayed only once:

{
  "access_token": "eyJ...",
  "expires_in": 31536000,
  "scope": "applied-permissions/user",
  "token_type": "Bearer"
}

Create a Token for a Specific User

To create an access token for another user (administrators):

Run one of the following:
```
jf access-token-create <username> --server-id=<server-id>
```
Where:
- <username>: Target JFrog username for the new token
- <server-id>: Server ID from your jf config configuration
For example:
```
jf access-token-create jdoe --server-id=my-server
```
Alternatively, pass credentials inline:
```
jf access-token-create <username> --url=<JFrogPlatformURL> --access-token=<Token>
```
Where:
- <username>: Target JFrog username for the new token
- <JFrogPlatformURL>: Base URL of your JFrog Platform deployment
- <Token>: Valid access token for an administrator (use a real token; do not commit it)
For example:
```
jf access-token-create jdoe --url=https://acme.jfrog.io --access-token=<Token>
```

Administrators create tokens for other users by specifying the username and credentials.

Create a Refreshable Token

To create a refreshable access token:

Run:
```
jf access-token-create --refreshable --expiry=<seconds>
```
Where:
- <seconds>: Token lifetime in seconds before expiry (for example, 3600)
For example:
```
jf atc --refreshable --expiry=3600
```

The token is refreshable, and a refresh token is returned for renewing it when it expires. On success:

{
  "access_token": "eyJ...",
  "refresh_token": "eyJ...",
  "expires_in": 3600,
  "scope": "applied-permissions/user",
  "token_type": "Bearer"
}

Use the refresh_token value to obtain a new access token before the original expires.

Important Notes

Default scope: Without --scope, --groups, or --grant-admin, the token has the same permissions as the creating user.
Expiry: If you don't set --expiry, the platform's default token expiry applies (typically 1 year). Non-admin users cannot set an expiry greater than the platform default. Use --expiry=0 for a never-expiring token — this requires admin privileges.
Reference tokens: Use --reference to create a reference token alongside the full access token — both are returned in the response. Reference tokens are stored in the platform database and can be revoked individually. (Artifactory 7.38.10+)
Refreshable tokens: Use --refreshable to get a refresh token alongside the access token. This is useful for long-running CI/CD pipelines that may outlive the token's expiry.
Admin-only flags: --grant-admin, --groups, and --scope require admin privileges. Non-admin users can only create tokens for themselves.
Security: Tokens are displayed only once at creation time. Store them securely. If lost, create a new token.