Overview

List all active workspace tokens for the current workspace. This command shows token metadata including JWT ID (JTI), creation time, expiration, and indicates which token is currently being used.

Syntax

ntcli token list [options]

Options

--format
string
Output format for the token listDefault: table
Options: table, json
--show-expired
boolean
Include expired tokens in the listDefault: false
Use case: Audit token usage history

Examples

List Active Tokens

# List all active workspace tokens
ntcli token list
Output: 
┌─────────────────────┬─────────────────────┬─────────────────────┬─────────┐
│ JTI                 │ Created             │ Expires             │ Current │
├─────────────────────┼─────────────────────┼─────────────────────┼─────────┤
│ jti_abc123          │ 2024-08-07 10:30:00 │ 2025-08-07 10:30:00 │ ✓       │
│ jti_def456          │ 2024-07-15 14:20:00 │ 2025-07-15 14:20:00 │         │
│ jti_ghi789          │ 2024-06-01 09:15:00 │ Never               │         │
└─────────────────────┴─────────────────────┴─────────────────────┴─────────┘

Include Expired Tokens

# Show all tokens including expired ones
ntcli token list --show-expired
Output: 
┌─────────────────────┬─────────────────────┬─────────────────────┬─────────┬─────────────┐
│ JTI                 │ Created             │ Expires             │ Current │ Status      │
├─────────────────────┼─────────────────────┼─────────────────────┼─────────┼─────────────┤
│ jti_abc123          │ 2024-08-07 10:30:00 │ 2025-08-07 10:30:00 │ ✓       │ Active      │
│ jti_def456          │ 2024-07-15 14:20:00 │ 2025-07-15 14:20:00 │         │ Active      │
│ jti_old123          │ 2024-01-01 12:00:00 │ 2024-06-01 12:00:00 │         │ Expired     │
└─────────────────────┴─────────────────────┴─────────────────────┴─────────┴─────────────┘

JSON Output

# Get token list in JSON format
ntcli token list --format json
Output: 
{
  "tokens": [
    {
      "jti": "jti_abc123",
      "created_at": "2024-08-07T10:30:00Z",
      "expires_at": "2025-08-07T10:30:00Z",
      "is_current": true,
      "status": "active"
    },
    {
      "jti": "jti_def456", 
      "created_at": "2024-07-15T14:20:00Z",
      "expires_at": "2025-07-15T14:20:00Z",
      "is_current": false,
      "status": "active"
    }
  ],
  "total_active": 2,
  "current_token_jti": "jti_abc123"
}

Understanding Token Information

Table Columns

ColumnDescription
JTIJWT ID - unique identifier for the token
CreatedWhen the token was created
ExpiresWhen the token expires (“Never” for non-expiring tokens)
Current✓ indicates the token currently stored locally
StatusActive, Expired, or Revoked (when --show-expired is used)

Token States

  • Active: Token is valid and can be used
  • Expired: Token has passed its expiration date
  • Current: Token currently stored in local configuration

Token Management Workflow

Audit Token Usage

# Review all tokens for security audit
ntcli token list --show-expired --format json | jq '.tokens[] | {jti, created_at, expires_at, status}'

Clean Up Old Tokens

# List tokens to identify old ones
ntcli token list

# Revoke specific old tokens
ntcli token revoke jti_old123
ntcli token revoke jti_old456

Monitor Token Expiration

# Check which tokens are expiring soon
ntcli token list --format json | jq '.tokens[] | select(.expires_at != null) | {jti, expires_at}'

Security Considerations

Token Rotation: Regularly review and revoke unused tokens to maintain security.
Multiple Active Tokens: Multiple tokens can be active simultaneously. Revoke unused tokens to reduce attack surface.

Best Practices

  • Regular Audits: Review token list monthly to identify unused tokens
  • Token Naming: Use meaningful JTI patterns if creating tokens programmatically
  • Expiration Monitoring: Set up alerts for tokens nearing expiration
  • Immediate Revocation: Revoke tokens immediately when no longer needed

Error Handling

token create

Create new workspace tokens

token refresh

Refresh current workspace token

token revoke

Revoke specific tokens

token show

Show current token information