IBM Cloud Docs
Setting limits for IAM tokens

Setting limits for IAM tokens

As an account owner or user assigned the administrator role for the Identity service, you can meet your security requirements by setting custom expiration values for tokens. Identity and Access Management (IAM) access tokens and refresh tokens can both be customized for token limits.

Token expiration settings apply only when there is no connected login session. For more information, see Determining when sessions are created.

Before you begin

If you have the following access, you can update the settings for token expiration:

  • Account owner
  • Operator or admin role on all account management services
  • Operator or admin role on IAM Identity service

For more information about access, see Actions and roles for account management services.

Managing access token expiration

IAM access tokens can be used to invoke various IBM Cloud APIs. This is a temporary credential that is the result of an authentication. After the acquired access token expires, a refresh token is used to get a new access token so that you can continue calling IBM Cloud or service APIs.

To update your access token expiration setting, complete the following steps:

  1. In the IBM Cloud® console, click Manage > Access (IAM), and select Settings.
  2. From the Login session section, click the Edit icon Edit icon on the Access token tile.
  3. Enter the time limit in minutes. An access token can be valid for up to 60 minutes.
  4. Click Save.

Managing refresh token expiration

When available, this credential is used to get a new access token without reauthentication. This token isn't sent to APIs and is used only to get new access tokens.

To update your refresh token expiration setting, complete the following steps:

  1. In the IBM Cloud® console, click Manage > Access (IAM), and select Settings.
  2. From the Login session section, click the Edit icon Edit icon on the Refresh token tile.
  3. Enter the time limit in hours. A refresh token can be valid for up to 72 hours (3 days).
  4. Click Save.

Determining when sessions are created

Sessions are created when a user logs in to the IBM Cloud® CLI or IBM Cloud® console. For example, if you create a user API key and use it for the IBM Cloud® CLI, this generates a login session. However, if you use the same API key to create a token for API calls, like creating an IAM access token for a user or service ID, this does not generate a session.

Tokens expiration settings apply only if there is no connected login session. If a login session is created, then limits for login sessions apply. Use the following table to help you understand when each setting applies.

Table 1. Sessions and refresh token availability - Users
When a session is created or not depends on a combination of the identity type and login type.
Login type Sessions Refresh tokens
IBM Cloud® Console Checkmark icon Checkmark icon
IBM Cloud® CLI Checkmark icon Checkmark icon
API call
Table 1. Sessions and refresh token availability - Trusted profiles for federated users
When a session is created or not depends on a combination of the identity type and login type.
Login type Sessions Refresh tokens
IBM Cloud® Console Checkmark icon Checkmark icon
IBM Cloud® CLI Checkmark icon Checkmark icon
API call
Table 1. Sessions and refresh token availability - Service IDs
When a session is created or not depends on a combination of the identity type and login type.
Login type Sessions Refresh tokens
IBM Cloud® Console N/A N/A
IBM Cloud® CLI Checkmark icon
API call

Next steps

For more information about using IAM access tokens, see the following topics: