Access Tokens
Access tokens provide a user-friendly, secure means of authorizing access to resources.
Authentication using usernames and passwords
To access the OpCenter, all users must authenticate successfully. Several authentication methods are available, for example,
- Local ("built-in")
- Directory service such as LDAP or NIS
- SAML-based service such as the Okta platform
Local, LDAP, and NIS users rely on usernames and passwords to authenticate -- the difference is where the username/passwords pairs are stored. In the SAML architecture, the Identity Provider (IdP) authenticates the user based on whatever method the IdP uses, which could be an internal database or an LDAP server or something else.
Authentication using access tokens
An access token is generated by a system after authenticating the user via username/password credentials, multi-factor authentication, or some other method. The access token contains information about the user, user permissions, and other metadata. The access token is digitally signed to ensure integrity and authenticity, and has a limited lifetime determined by a configurable time-to-live parameter.
Access tokens are more secure than username/password credentials because tokens are valid for a limited time, can be revoked easily, can limit the resources available to users, and are not susceptible to replay, phishing or brute force attacks.
Generating access tokens for built-in OpCenter users
An admin
user can generate an access token (using the CLI or the web interface) for itself or for another built-in user. A normal
user can generate an access token (using the CLI or the web interface) for itself only.
Note
If you toggle HPC Mode from off to on (or on to off), all tokens are deleted.
CLI
Complete the steps in the following example to create a token for a normal user.
-
Log in to OpCenter as
admin
-
Add a built-in user with normal role
-
Generate access token for built-in user
Note
The
--ttl
flag sets the time-to-live value for the token, that is, the token is only valid for this duration. The default value forttl
is the value ofsessionTTL
set in the OpCenter configuration.$ float user token --user alice --ttl 1h Old token(s) will be deleted if the number of tokens exceeds the limit (security.userTokens). Please check active tokens by using 'float user token --list' command. Continue generating a new one?(yes/No): yes eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3NTQ1MTQ4MjYsImZlYXR1cmVzIjoxMzA0MTksImdpZCI6MTAwNiwianRpIjoiY2FkMGRkMmEtMTM4MC00MWM4LWJhZDQtY2E4MTg3N2JjMzUyIiwibmJmIjoxNzUzOTA2NDI2LCJyb2xlIjoibm9ybWFsIiwidWlkIjoxMDA2LCJ1c2VybmFtZSI6ImFsaWNlIn0.K2O-qFntxBVGBJ6QkeSy2bBQF3hE8AYNnO58SAZzlDY
Note
After logging in to the OpCenter, the user
alice
can create additional tokens (using the CLI or the web interface) for itself. -
Copy the token string
Note
This is the only time the token string is displayed — you can't retrieve a token string using the CLI.
-
Log out
admin
user -
Log in with access token
$ float login --token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3NTQ1MTQ4MjYsImZlYXR1cmVzIjoxMzA0MTksImdpZCI6MTAwNiwianRpIjoiY2FkMGRkMmEtMTM4MC00MWM4LWJhZDQtY2E4MTg3N2JjMzUyIiwibmJmIjoxNzUzOTA2NDI2LCJyb2xlIjoibm9ybWFsIiwidWlkIjoxMDA2LCJ1c2VybmFtZSI6ImFsaWNlIn0.K2O-qFntxBVGBJ6QkeSy2bBQF3hE8AYNnO58SAZzlDY Login Succeeded! $ float user info alice username: alice uid: 1006 gid: 1006 capacity: 45 role: normal group: "" email: "" type: builtin enabled: true ownGroup: ""
-
(Optional) Manage access tokens
Using the
float
CLI, you can manage access tokens, that is, create, delete, or list tokens. The following flags are available.$ float user token -h generate one token for specified user or delete one existing token Usage: float user token [username] [--ttl duration] [flags] Flags: -d, --delete delete the old token if specified -h, --help help for token -l, --list list all tokens for the user -T, --ttl duration specify the token's time to live duration (default 0, means using server config sessionTTL) -U, --user string specify the username to generate token for (default: current user)
Note
A maximum number of tokens, determined by
security.userTokens
, is permitted per user. If you create a new token after the maximum is reached, the oldest token is automatically deleted.Use
float user token --user USERNAME --list
to display the identifier associated with each token.$ float user token --user joe --list - token: eyJhbGci...Ns3LD8tRLjmak4XxGyIE lastAccess: 2025-08-01T14:50:41.5560694Z timeout: 2h0m0s
The string "eyJhbGci...Ns3LD8tRLjmak4XxGyIE" is the identifier associated with the token. Use with
float user token --delete
.
Web interface
Complete the steps in the following example to create a token for a normal user.
- Log in to the web interface as
admin
- In the left-hand panel, select ADMINISTRATION -> Users and Groups
- Identify the user to create a token for (
alice
in this example)
Note
A normal user (like alice
) can generate its own tokens, but cannot generate tokens for other users.
-
On the right-hand side, click the Generate Access Token icon
-
In the pop-up window, enter a Token TTL and then click Generate
-
Copy the token string—this is the only time the token string is displayed—and close the pop-up window
-
Use the token to log in to the OpCenter using the
float
CLI or to provide credentials to access the OpCenter as part of a job script, for example Nextflow -
(Optional) Manage access tokens by clicking the Generate Access Token icon associated with a user
Integration with the Okta Platform
The OpCenter integrates with the Okta platform to provide authentication in a SAML-based architecture. After authenticating to the Okta platform, a SAML user is automatically logged in to the OpCenter.
To create a token for a SAML user, complete the following steps.
- Log in to the OpCenter as a SAML user (see here for details)
- In the left-hand panel, select ADMINISTRATION -> Users and Groups
- Identify the SAML user to create a token for (
cedricdisplay
in this example) -
On the right-hand side, click the Generate Access Token icon
-
In the pop-up window, enter a Token TTL and then click Generate
- Copy the token string—this is the only time the token string is displayed—and close the pop-up window
- Use the token to log the SAML user in to the OpCenter using the
float
CLI or to provide credentials for the SAML user to access the OpCenter as part of a job script, for example Nextflow