How can I detect if vault is authenticated?

So I issued a vault login command and I got this prompt:

Waiting for OIDC authentication to complete…
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run “vault login”
again. Future Vault requests will automatically use this token.

We have some scripts that need vault access to succeed.
I would like to check if vault is authenticated before issuing those commands.
I don’t want to have vault login before every one of the tasks.

I’ve set up a helper that people can call when they start work: bb access (it’s a babashka script). The script logs the user in and generates a SSH certificate.
So calling other tasks that require vault access should be transparent. So is SSH’ing into servers.

How can I check if token is still valid to avoid running vault login ?

You can use vault token lookup. If you have a valid token (and the permission on auth/token/lookup-self) then it’ll return 0. If you don’t then it’ll return a positive number.


I also saw the token is cached locally in ~/.vault-token.
I will create an issue to for vault to use XDG directories instead of spitting it inside home.