# How to Rotate api tokens

1. Create new token
2. Revoke old token

**Assumptions:**

*   Your MiniDiscovery API is running at `http://localhost:8500`.
*   Your *current* (initial) admin token is stored in the variable `OLD_ADMIN_TOKEN`.
*   You want the *new* admin token to be named `admin-v2` (or similar).

**Steps:**

1.  **Create a New Admin Token:**
    *   Use your *existing* admin token (`$OLD_ADMIN_TOKEN`) in the `X-API-Token` header.
    *   POST to the `/v1/acl/token` endpoint.
    *   Request the `admin` permission for the new token.

    ```bash
    OLD_ADMIN_TOKEN="your_initial_secure_admin_token_here"
    NEW_TOKEN_NAME="admin-v2" # Or any descriptive name

    # Make the API call
    response=$(curl -s -X POST "http://localhost:8500/v1/acl/token" \
      -H "accept: application/json" \
      -H "X-API-Token: ${OLD_ADMIN_TOKEN}" \
      -H "Content-Type: application/json" \
      -d '{
        "name": "'"${NEW_TOKEN_NAME}"'",
        "permissions": ["read", "write", "admin"]
      }')

    # Extract the new token (use jq if available for robustness, otherwise basic parsing)
    # Using jq:
    # NEW_ADMIN_TOKEN=$(echo $response | jq -r '.token')
    # Using grep/sed (less robust):
    NEW_ADMIN_TOKEN=$(echo $response | grep -o '"token": "[^"]*"' | sed 's/"token": "//;s/"$//')


    if [ -z "$NEW_ADMIN_TOKEN" ] || [ "$NEW_ADMIN_TOKEN" = "null" ]; then
      echo "Error creating new token. Response:"
      echo "$response"
      exit 1
    else
      echo "Successfully created new admin token named '${NEW_TOKEN_NAME}'."
      echo "NEW TOKEN (SAVE THIS SECURELY!): ${NEW_ADMIN_TOKEN}"
      # !!! IMPORTANT: Securely store NEW_ADMIN_TOKEN now !!!
    fi
    ```

2.  **Revoke the Old Admin Token:**
    *   You can use *either* the `$OLD_ADMIN_TOKEN` or the `$NEW_ADMIN_TOKEN` you just created for authentication in the `X-API-Token` header (since both have `admin` rights at this point). It's often good practice to use the new one to verify it works.
    *   Send a DELETE request to `/v1/acl/token/{token_to_revoke}`.
    *   The `{token_to_revoke}` path parameter MUST be the **plain text** value of the token you want to remove (i.e., the value of `$OLD_ADMIN_TOKEN`).

    ```bash
    # Use the NEW token to authenticate the revocation request
    curl -X DELETE "http://localhost:8500/v1/acl/token/${OLD_ADMIN_TOKEN}" \
      -H "accept: application/json" \
      -H "X-API-Token: ${NEW_ADMIN_TOKEN}"

    # Check the output, it should indicate success (e.g., {"status":"revoked", ...})
    # Or use the OLD token to authenticate:
    # curl -X DELETE "http://localhost:8500/v1/acl/token/${OLD_ADMIN_TOKEN}" \
    #  -H "accept: application/json" \
    #  -H "X-API-Token: ${OLD_ADMIN_TOKEN}"

    echo "Attempted to revoke the old admin token. Verify the response."
    ```

**After these steps:**

*   The initial admin token (`$OLD_ADMIN_TOKEN`) will no longer be valid.
*   The new token (`$NEW_ADMIN_TOKEN`) will be the active token with admin privileges.
*   You should update any scripts, configurations, or password managers that were using the old token to use the new one.

This create-then-revoke process is the standard way to handle credential rotation in systems like this.