mytoken#
mytoken is a token service designed to solve the fundamental mismatch between short-lived OpenID Connect (OIDC) access tokens and long-running workloads in high-performance computing and research infrastructures. While OIDC tokens typically expire within hours, compute jobs routinely run for days or weeks, requiring sustained access to OIDC-protected resources without user presence. Mytoken addresses this challenge by introducing a new token type — the mytoken — which serves as a capability-based bearer token for obtaining fresh OIDC access tokens from a central server at any time and from any internet-connected device.
The mytoken ecosystem comprises a REST API server (Go), a command-line client (Go), client libraries (Go and Python), and a web interface (SvelteKit). Key features include a capabilities model for fine-grained permission scoping, a restrictions model supporting time-based, location-based (country, IP/subnet), usage-count, scope, and audience limits, and multi-clause restrictions that allow time-varying privilege sets within a single token. Additional mechanisms such as automatic token rotation, cross-device transfer, and an SSH grant type further enhance security and usability.