Skip to main content

Access Server's Token URL Feature

A new feature introduced with Access Server 2.11 is the token URL. It is a method of providing a connection profile to a user’s OpenVPN client. This document provides details and some use cases.

Access Server token URL

A token URL contains an authentication token valid for a specific time and/or a number of usages and grants access to a connection profile. Accessing this token URL triggers the OpenVPN Connect VPN client to download and import the connection profile. The token URL has these characteristics:

  1. An HTTPS URL with an authentication token for a connection profile.

  2. The profile can be of user-locked, auto-login, or server-locked type.

  3. A number of authentication token usages (defaults to 1 use).

  4. Authentication token expiration time (defaults to 1 hour).

  5. Prefixed with openvpn://import-profile/ to trigger client import process.

Supported software for the client import process

When a token URL with openvpn://import-profile/ prefix is opened on a system with a supported OpenVPN client program installed, the user is offered the option to import the connection profile into the OpenVPN client. You need Access Server 2.11.0 or newer and OpenVPN Connect 3.3.6 or newer for this feature.

The process looks like this:

  1. The user has OpenVPN Connect v3.3.6 or newer.

  2. They click or open the token URL.

  3. The browser asks to open OpenVPN Connect, and they click OK.

  4. OpenVPN Connect asks to import the profile, and they click OK.

  5. The connection profile can now be used in OpenVPN Connect.


If your VPN client doesn’t support client import, you can still download and import the connection profile manually as described here: Manually Download a Connection Profile Using a Token URL.

Token URL tutorials

Refer to the following tutorials for working with token URLs:


AUTH ERROR: token not found in DB

If you try to use a token URL after it’s expired, you’ll receive an auth error message that the token isn’t in the database. Once a token URL expires, it’s no longer saved in ListPofileTokens.

ERROR: NEED_AUTOLOGIN — user lacks autologin privilege

You can’t generate an auto-login profile for a user if they don’t have the privilege. To grant that, sign in to the Admin Web UI, click User Management > User Permissions, and click Allow Autologin for the user. Ensure you save and update the running server.