The tokengen component generates admin-api tokens and stores them in the admin object storage. You run the tokengen component with the configuration flag -target=tokengen. It requires admin client object storage configuration to persist the generated token. To configure the admin client object storage configuration, refer to admin_client.

The tokengen component logs the generated token and optionally writes it to the path specified by the configuration flag -tokengen.token-file. Note that if the file already exists, the token file won’t be overwritten, and tokengen will fail with an error. It can be run multiple times, generating a new token each time. Previously generated tokens continue to be valid.

By default, tokens generated by tokengen use the built-in admin access policy. To specify an alternative access policy, use the configuration flag -tokengen.access-policy.