Skip to content

Access Tokens

Access tokens provide a user-friendly, secure means of authorizing access to resources.

Authentication using usernames and passwords

To access the OpCenter, all users must authenticate successfully. Several authentication methods are available, for example,

  • Local ("built-in")
  • Directory service such as LDAP or NIS
  • SAML-based service such as the Okta platform

Local, LDAP, and NIS users rely on usernames and passwords to authenticate -- the difference is where the username/passwords pairs are stored. In the SAML architecture, the Identity Provider (IdP) authenticates the user based on whatever method the IdP uses, which could be an internal database or an LDAP server or something else.

Authentication using access tokens

An access token is generated by a system after authenticating the user via username/password credentials, multi-factor authentication, or some other method. The access token contains information about the user, user permissions, and other metadata. The access token is digitally signed to ensure integrity and authenticity, and has a limited lifetime determined by a configurable time-to-live parameter.

Access tokens are more secure than username/password credentials because tokens are valid for a limited time, can be revoked easily, can limit the resources available to users, and are not susceptible to replay, phishing or brute force attacks.

Generating access tokens for built-in OpCenter users

An admin user can generate an access token (using the CLI or the web interface) for itself or for another built-in user. A normal user can generate an access token (using the CLI or the web interface) for itself only.

Note

If you toggle HPC Mode from off to on (or on to off), all tokens are deleted.

CLI

Complete the steps in the following example to create a token for a normal user.

  • Log in to OpCenter as admin

    $ float login
    Username: admin
    Password: 
    Login Succeeded!
    
  • Add a built-in user with normal role

    $ float user add alice
    New password: 
    Confirm password: 
    username: alice
    uid: 1006
    gid: 1006
    capacity: 45
    role: normal
    group: ""
    email: ""
    type: builtin
    enabled: true
    ownGroup: ""
    
  • Generate access token for built-in user

    Note

    The --ttl flag sets the time-to-live value for the token, that is, the token is only valid for this duration. The default value for ttl is the value of sessionTTL set in the OpCenter configuration.

    $ float user token --user alice --ttl 1h
    Old token(s) will be deleted if the number of tokens exceeds the limit (security.userTokens).
    Please check active tokens by using 'float user token --list' command.
    Continue generating a new one?(yes/No): yes
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3NTQ1MTQ4MjYsImZlYXR1cmVzIjoxMzA0MTksImdpZCI6MTAwNiwianRpIjoiY2FkMGRkMmEtMTM4MC00MWM4LWJhZDQtY2E4MTg3N2JjMzUyIiwibmJmIjoxNzUzOTA2NDI2LCJyb2xlIjoibm9ybWFsIiwidWlkIjoxMDA2LCJ1c2VybmFtZSI6ImFsaWNlIn0.K2O-qFntxBVGBJ6QkeSy2bBQF3hE8AYNnO58SAZzlDY
    

    Note

    After logging in to the OpCenter, the user alice can create additional tokens (using the CLI or the web interface) for itself.

  • Copy the token string

    Note

    This is the only time the token string is displayed — you can't retrieve a token string using the CLI.

  • Log out admin user

    $ float logout
    Logout Succeeded!
    
  • Log in with access token

    $ float login --token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3NTQ1MTQ4MjYsImZlYXR1cmVzIjoxMzA0MTksImdpZCI6MTAwNiwianRpIjoiY2FkMGRkMmEtMTM4MC00MWM4LWJhZDQtY2E4MTg3N2JjMzUyIiwibmJmIjoxNzUzOTA2NDI2LCJyb2xlIjoibm9ybWFsIiwidWlkIjoxMDA2LCJ1c2VybmFtZSI6ImFsaWNlIn0.K2O-qFntxBVGBJ6QkeSy2bBQF3hE8AYNnO58SAZzlDY
    Login Succeeded!
    $ float user info alice
    username: alice
    uid: 1006
    gid: 1006
    capacity: 45
    role: normal
    group: ""
    email: ""
    type: builtin
    enabled: true
    ownGroup: ""
    
  • (Optional) Manage access tokens

    Using the float CLI, you can manage access tokens, that is, create, delete, or list tokens. The following flags are available.

    $ float user token -h
    generate one token for specified user or delete one existing token
    
    Usage:
    float user token [username] [--ttl duration] [flags]
    
    Flags:
    -d, --delete         delete the old token if specified
    -h, --help           help for token
    -l, --list           list all tokens for the user
    -T, --ttl duration   specify the token's time to live duration (default 0, means using server config sessionTTL)
    -U, --user string    specify the username to generate token for (default: current user)
    

    Note

    A maximum number of tokens, determined by security.userTokens, is permitted per user. If you create a new token after the maximum is reached, the oldest token is automatically deleted.

    Use float user token --user USERNAME --list to display the identifier associated with each token.

    $ float user token --user joe --list
    - token: eyJhbGci...Ns3LD8tRLjmak4XxGyIE
    lastAccess: 2025-08-01T14:50:41.5560694Z
    timeout: 2h0m0s
    

    The string "eyJhbGci...Ns3LD8tRLjmak4XxGyIE" is the identifier associated with the token. Use with float user token --delete.

    $ float user token --user joe --delete eyJhbGci...Ns3LD8tRLjmak4XxGyIE
    After deleting this token, all sessions using it will close. Continue? (yes/No): yes
    Deleted old token successfully
    

Web interface

Complete the steps in the following example to create a token for a normal user.

  • Log in to the web interface as admin
  • In the left-hand panel, select ADMINISTRATION -> Users and Groups
  • Identify the user to create a token for (alice in this example)

Note

A normal user (like alice) can generate its own tokens, but cannot generate tokens for other users.

  • On the right-hand side, click the Generate Access Token icon

    Creating an access token

  • In the pop-up window, enter a Token TTL and then click Generate

    Choosing a token TTL

  • Copy the token string—this is the only time the token string is displayed—and close the pop-up window

    Copying token string

  • Use the token to log in to the OpCenter using the float CLI or to provide credentials to access the OpCenter as part of a job script, for example Nextflow

  • (Optional) Manage access tokens by clicking the Generate Access Token icon associated with a user

Integration with the Okta Platform

The OpCenter integrates with the Okta platform to provide authentication in a SAML-based architecture. After authenticating to the Okta platform, a SAML user is automatically logged in to the OpCenter.

To create a token for a SAML user, complete the following steps.

  • Log in to the OpCenter as a SAML user (see here for details)
  • In the left-hand panel, select ADMINISTRATION -> Users and Groups
  • Identify the SAML user to create a token for (cedricdisplay in this example)
  • On the right-hand side, click the Generate Access Token icon

    Creating an access token

  • In the pop-up window, enter a Token TTL and then click Generate

  • Copy the token string—this is the only time the token string is displayed—and close the pop-up window
  • Use the token to log the SAML user in to the OpCenter using the float CLI or to provide credentials for the SAML user to access the OpCenter as part of a job script, for example Nextflow