import ""


TokenRequest requests a token for a given service account.


TokenRequestSpec contains client provided parameters of a token request.

  • audiences ([]string), required
    Audiences are the intendend audiences of the token. A recipient of a token must identitfy themself with an identifier in the list of audiences of the token, and otherwise should reject the token. A token issued for multiple audiences may be used to authenticate against any of the audiences listed but implies a high degree of trust between the target audiences.
  • boundObjectRef (BoundObjectReference)
    BoundObjectRef is a reference to an object that the token will be bound to. The token will only be valid for as long as the bound object exists. NOTE: The API server’s TokenReview endpoint will validate the BoundObjectRef, but other audiences may not. Keep ExpirationSeconds small if you want prompt revocation.
    BoundObjectReference is a reference to an object that a token is bound to.
    • boundObjectRef.apiVersion (string)
      API version of the referent.
    • boundObjectRef.kind (string)
      Kind of the referent. Valid kinds are ‘Pod’ and ‘Secret’.
    • (string)
      Name of the referent.
    • boundObjectRef.uid (string)
      UID of the referent.
  • expirationSeconds (int64)
    ExpirationSeconds is the requested duration of validity of the request. The token issuer may return a token with a different validity duration so a client needs to check the ‘expiration’ field in a response.


TokenRequestStatus is the result of a token request.

  • expirationTimestamp (Time), required
    ExpirationTimestamp is the time of expiration of the returned token.
    Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.
  • token (string), required
    Token is the opaque bearer token.


create create token of a ServiceAccount

HTTP Request

POST /api/v1/namespaces/{namespace}/serviceaccounts/{name}/token


200 (TokenRequest): OK
201 (TokenRequest): Created
202 (TokenRequest): Accepted
401: Unauthorized