CLI - Manage access tokens

Learn how to create Application tokens with the ovhai CLI

Last updated 25th March, 2021.


This guide covers the creation of application tokens for AI Training.



token create

If you need any help while creating a new token, run ovhai token create --help:

    ovhai token create [OPTIONS] <name> --role <role>

    <name>    Token's name

    -h, --help       Prints help information
    -V, --version    Prints version information

    -l, --label-selector <name=value>
            Only jobs with this label's name and value will be accessible using this token

    -o, --output <output>
            Command output format [default: yaml] [possible values: json, yaml]

    -r, --role <role>
            Operator role gives all access, read role only allow to access job's APIs [possible
            values: read, operator]

Create an app token

The creation of application tokens is pretty straightforward, you need to define what roles to assign to the token and its scope.

There are two roles available:

  • read a token with this role will allow access to the services exposed by the job on the job_url
  • operator a token with this role will allow interaction with AI Training api and CLI

The tokens can be scoped to apply only on jobs matching a specific label. Upon creating a token simply provide a name=value pair and when running a new job add the label to the job to be accessible ovhai job run -l name=value. If you create a new job using an app token the label-selector is automatically added to the created job so that it falls within the token scope.

Let us create a new operator token scoped to model=base and named basetoken:

ovhai token create basetoken --label-selector model=base --role operator

An unscoped token will have access to all jobs.

Use the app token

If your token has a role read and you wish to acces the job_url or if it is an operator token and you wish to use the AI Training API simply add the following header to your HTTP requests:

-H 'Authorization: Bearer <token>'

You can also use the operator token directly with the ovhai CLI. For all commands simply add the flag --app-token to override the default authentication method. Running a simple Hello World with the app token :

ovhai job run --app-token <my-token> ubuntu -- echo `Hello World`

Token lifecycle

Application token do not have an expiration date. We need an additional mechanism to revoke those tokens and remove access to unwanted applications.

There are two ways to revoke a token.

token delete

You can delete any token using its id. List the tokens and find the ID associated with your token. Then simply run:

ovhai token delete <token-id>

token renew

You may wish to revoke a token while keeping its name and label-selector, a typical use case is if your token leaked or is compromised in any way. Rather than deleting and recreating the token you can renew it. Simply run:

ovhai token renew <token-id>


Please send us your questions, feedback and suggestions to improve the service:

Did you find this guide useful?

Please feel free to give any suggestions in order to improve this documentation.

Whether your feedback is about images, content, or structure, please share it, so that we can improve it together.

Your support requests will not be processed via this form. To do this, please use the "Create a ticket" form.

Thank you. Your feedback has been received.

These guides might also interest you...

OVHcloud Community

Access your community space. Ask questions, search for information, post content, and interact with other OVHcloud Community members.

Discuss with the OVHcloud community