Create Admin Tokens

You can create admin tokens to provide tokenized account access for automated strongDM use. This guide describes how to set up and use admin tokens. To create an admin token, you'll need to have admin access to the strongDM Admin UI.

Admin tokens are for administrative tasks, including:

  • Auditing
  • Managing users
  • Managing roles
  • Managing resources
  • Managing gateways and relays
  • Managing access
  • Managing Secret Stores

Create Admin Tokens

Admin tokens are generated in the Admin UI in Access > API & Admin Tokens. To create an admin token, follow these steps:

  1. On Access > API & Admin Tokens, click add token.
  2. On the Create Admin Token page:
    1. Give your token a name.
    2. Specify how long the token will be valid.
    3. Choose which rights this admin token will have and select the appropriate options for your admin token use case.
Create Admin Token
Create Admin Token
  1. Click Create. The token will appear in a pop-up window. Copy the token and keep it somewhere safe, as you will not be able to view the token after this point.
Admin Token Secret
Admin Token Secret


There are two methods to authenticate the CLI with an admin token: with an environment variable or through the sdm login command.

Environment Variable

The CLI will reference the environment variable SDM_ADMIN_TOKEN if it is set. You can set this in your shell by using export:

export SDM_ADMIN_TOKEN='token_value_here'

Login Command

The CLI can use the token directly if the --admin-token flag is used:

sdm login --admin-token='token_value_here'

If the admin token is used at login in this manner, or if SDM_ADMIN_TOKEN is set as an environment variable, there is no need to log in via the CLI or GUI (any active client sessions will be broken when you try to log in with the --admin-token flag). Instead, you can just begin executing commands without needing to log in with credentials.

General Usage

Once authenticated with an admin token, you will be able to run any sdm admin command granted to the token. No other commands (e.g., sdm status) will work using an admin token, regardless of permission level.

You can run any of the following commands that you have granted to the token once you're authenticated with the token:

  • User commands: sdm admin users list
  • Role commands: sdm admin roles list
  • Datasource commands: sdm admin datasources list
  • Server commands: sdm admin servers list
  • Relay commands: sdm admin relays list. Note that the relays list command requires the token to also have been granted datasources list, otherwise relays list will not work since it provides some information on the connected datasources for each relay.

Rotate Admin Tokens

Rotating an admin token will generate a new secret while maintaining the name and permissions. We recommend doing so if you believe a token has been compromised or if a user with access to the token has left your organization.

Revoke Admin Tokens

Once a token has been rotated or deleted, the token will immediately lose its ability to authenticate commands from that point forward.

Admin UI Guide — Previous
Next — Admin UI Guide
Access Rules