Issue a bootstrap token

A BootstrapToken is the single-use credential a fresh Node or Bridge presents on its first call. plexctl bootstrap-token wraps /v1/projects/{project_id}/bootstrap-tokens. The plaintext is shown exactly once on issue.

Prerequisites

• An authenticated session — see Log in with plexctl.
• The owning Project UUID — see Manage Projects.

Steps

Issue a token

plexctl bootstrap-token issue \
  --project <project-uuid> \
  --kind node \
  --env-prefix prod \
  --ttl 1h
# WARNING: this is the only time this plaintext will be displayed
# psb_prod_…_node_…
#
# token_id:   …
# issued_at:  …
# expires_at: …

--kind is node or bridge; a bridge token presented at the Node endpoint is rejected. --ttl is bounded server-side to [5m, 24h]. Capture the plaintext from the response immediately — the API never returns it again.

List and inspect

plexctl bootstrap-token list --project <project-uuid>
# ID  PROJECT  ENV   KIND  ISSUED_AT  EXPIRES_AT  STATE
# …   …        prod  node  …          …           active
plexctl bootstrap-token get --token-id <token-uuid>

get confirms a redemption (consumed_at populated) or a revoke (revoked_at populated).

Revoke a token

plexctl bootstrap-token revoke --token-id <token-uuid> --yes

Revoke is idempotent; each call still writes one audit entry.

Verification

plexctl bootstrap-token get --token-id <token-uuid> --output json \
  | jq '{kind, expires_at, consumed_at, revoked_at}'
# {
#   "kind": "node",
#   "expires_at": "…",
#   "consumed_at": null,
#   "revoked_at": null
# }

consumed_at and revoked_at are null until the token is redeemed or revoked.

See also

• Register a Node — redeem the token from the Node.
• ../../reference/cli/plexctl/bootstrap-token.md — every flag and exit code.
• ../../contexts/identity/bootstrap-tokens.md — the token state machine.