# Secrets Manager Token Add

## Secrets Manager — Token Add

The `secrets-manager token add` subcommand adds a one-time access token to an existing KSM application. It is a discoverable shortcut to the `secrets-manager client add` flow, designed for operators and automation scripts that need to provision tokens without re-creating the application.

> **Applies to:** Keeper Commander 17.3+

***

### Syntax

```
secrets-manager token add <APP_UID_OR_NAME> [options]
```

This is equivalent to:

```
secrets-manager client add --app <APP_UID_OR_NAME> [options]
```

Both commands produce identical output. `token add` exists for discoverability — the help text for `secrets-manager` now surfaces a dedicated `token` sub-group.

***

### Parameters

| Parameter           | Required | Description                                |
| ------------------- | -------- | ------------------------------------------ |
| `<APP_UID_OR_NAME>` | Yes      | UID or name of an existing KSM application |

***

### Options

| Option                              | Type    | Default | Description                                                    |
| ----------------------------------- | ------- | ------- | -------------------------------------------------------------- |
| `--count <n>`                       | integer | 1       | Number of one-time tokens to generate                          |
| `--unlock-ip`                       | flag    | false   | Remove the IP-lock restriction from the generated token        |
| `--first-access-expires-in-min <n>` | integer | —       | Minutes until the token expires if not used for the first time |
| `--access-expire-in-min <n>`        | integer | —       | Minutes until the token expires after first use                |
| `--name <label>`                    | string  | —       | Friendly name for the generated client                         |
| `--config-init <type>`              | string  | —       | Output format for config initialisation (`k8s`, `json`, `b64`) |
| `--return-tokens`                   | flag    | false   | Return raw token string(s) to the caller (for scripting)       |

***

### Examples

#### Add a single token to an application

```
My Vault> secrets-manager token add MyApp
Token generated for application 'MyApp'.
  Token: US:AAA...
```

#### Generate multiple tokens

```
My Vault> secrets-manager token add MyApp --count 3
```

#### Generate a token that expires in 30 minutes if unused

```
My Vault> secrets-manager token add MyApp --first-access-expires-in-min 30
```

#### Scripting — capture the token value

```bash
TOKEN=$(keeper secrets-manager token add MyApp --return-tokens)
echo "Token: $TOKEN"
```

#### Generate a token with Kubernetes config output

```bash
keeper secrets-manager token add MyApp --config-init k8s --name ci-runner-token
```

***

### Notes

* The application must already exist. To create a new KSM application, use `secrets-manager app create <NAME>`.
* Tokens generated with `--unlock-ip` are not bound to the IP address of the machine that generated them.
* `--return-tokens` is intended for use in scripts. Without it, the token is printed to stdout as part of the normal command output.
* Implementation delegates entirely to `KSMCommand.add_client()` — no new API surface is introduced.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeperpam/commander-cli/command-reference/secrets-manager-commands/secrets-manager-token-add.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.