Help Center/ Identity and Access Management_Identity and Access Management (New Edition)/ FAQs/ Passwords and Credentials/ How Do I Disable Tokens and Only Use Identity Policy-based Authentication?
Updated on 2025-11-06 GMT+08:00
View PDF
Share

How Do I Disable Tokens and Only Use Identity Policy-based Authentication?

Reasons for Disabling Tokens

The token-based authentication has the following disadvantages:

  • When tokens are used for authentication, the identity policy-based authorization will not be applied.
  • Tokens are less secure than temporary access keys.
  • The user identity permissions are statically fixed in a token. After permissions are updated, the token needs to be obtained again.

APIs for Disabling Tokens

Table 1 APIs for disabling tokens

Method

API

Identity Policy Action

Description

POST

/v3/auth/tokens

iamToken::generatePkiToken

Obtaining a token

GET

/v3/auth/tokens

iamToken::validatePkiToken

Verifying the validity of a token

Constraints

  • Before disabling a token, ensure that no services are dependent on the token. Otherwise, the token will fail to be obtained after it is disabled, affecting service functions.
  • You are not advised to use wildcards in identity policies to disable a token.

    For example, the following identity policy denies iamToken::*. If an action in the iamToken::xxx format is added, that action will be denied unexpectedly by the identity policy, which may cause potential risks.

    {
	"Version": "5.0",
	"Statement": [{
		"Effect": "Deny",
		"Action": [
"iamToken::*"#Wildcards are not recommended for deny.
		]
	}]
}

    It is recommended that identity policies only deny specific actions. For example, if you want to disable the operation for obtaining a token, deny only the iamToken::generatePkiToken action.

Method

  • Using identity policies

    You can configure an identity policy on the new IAM console to disable token obtaining.

    For details, see Creating a Custom Identity Policy and Attaching an Identity Policy to a Principal.

    The following example identity policy uses the g:DomainId condition key (optional) to prevent specific users from obtaining a token:

    {
	"Version": "5.0",
	"Statement": [{
		"Effect": "Deny",
		"Action": [
			"iamToken::generatePkiToken"
		],
		"Condition": {
			"StringEquals": {
				"g:DomainId": [
					"xxxxxxxxxxxxxxxxxxxxx"
				]
			}
		}
	}]
}
  • Using SCPs

    You can configure an SCP on the Organizations console to disable token obtaining.

    For details, see Creating an SCP and Attaching an SCP.

    The following example SCP uses the g:UserId condition key (optional) to prevent specific users from obtaining a token:

    {
	"Version": "5.0",
	"Statement": [{
		"Effect": "Deny",
		"Action": [
			"iamToken::generatePkiToken"
		],
		"Condition": {
			"StringEquals": {
				"g:UserId": [
					"xxxxxxxxxxxxxxxxxxxxx"
				]
			}
		}
	}]
}