Tutorial: Manage Token URLs from the Command-Line Interface

Abstract

What is the authentication token URL for VPN clients? Learn how to work with this Access Server feature.

Overview

Access Server's token URL is a method of providing a connection profile to a user's OpenPVN client.

This tutorial shows how to work with token URLs from the command-line interface (CLI).

Related tutorials:

Sign in to the Access Server console and get root privileges.
Run commands from the following sections for user, auto-login, and server-locked profiles. Refer to the Connections Profiles topic to read about the differences.

Run this command to generate a user-profile token URL:

sacli --user <USER> AddProfileToken

The command adds a new token and provides the URL to download the profile, for example:

Added token, import URL openvpn://import-profile/https://123.456.78.90/rest/GetProfileViaToken?token=VKIn2qMCyGHgOjBVstqbh1foSNnsUBhK

You can now paste the token into a browser and a message pops up to open OpenVPN Connect.
OpenVPN Connect confirms you want to import a profile from the provided domain.
When confirmed, OpenVPN Connect imports the profile for your user.

Run the command appropriate for your Access Server version to generate an auto-login user profile:
```
sacli --user <USER> --profile_type="autologin" AddProfileToken
```
If the user has auto-login permissions, the command adds a new token and provides the URL to download the profile.
Note
If the user doesn't have auto-login permissions, the command returns an error message stating, "need autologin."

Run the command appropriate for your Access Server version to generate a server-locked profile:
```
sacli --user <USER> --profile_type="server-locked" AddProfileToken
```
Use the provided URL to download the server-locked profile.

Run this command to generate a token URL with a specific expiration time:
```
sacli --user <USER> --token_expire="1200" AddProfileToken
```
- The command adds a new token that expires 1200 minutes after creation and provides the URL to download the profile.
If a user tries to enter the URL in their browser after the expiration, the browser will still prompt them to open OpenVPN Connect and import the profile but then receive an error. You can find an error message in your log stating that the token isn’t in the database.

Run this command to generate a token URL that can be used a specified number of times:
```
sacli --user <USER> --token_usage_count="3" AddProfileToken
```
- The command adds a new token with three allowable usages and provides the URL to download the profile.
Each time a user downloads a profile with the provided URL, the usage number counts down until it reaches zero, and you can no longer use the token to download a profile.

Run this command to list the current profile tokens:
```
sacli ListProfileTokens
```
- You should see any newly generated tokens in the list. The list includes the token, type, usages, expiration, and username — only currently valid tokens display.
Once a token expires, you must issue a new token, and the expired token won’t be in the list anymore.

Run the command to list the current profile tokens (above).
From the token list, copy the generated token you want to delete.
Run this command, replacing <token> with the copied token from the list:
```
sacli --id <token> DeleteProfileToken
```
- The token is deleted.

In this section: