How to know when token is for one time use


we are facing a problem on how to detect when an authentication (client_token) token is for one time use.

Returned data by vault, when the authentication is done, does not contain information about the maximum number of uses a token has. It contains information about the “lease_duration”, but not the “num_uses” value.
For obtaining that information, the lookup-a-token-self endpoint can be used. But, obviously, invoking this endpoint consums a “use” of the token.

So, for one-time tokens this solution does not work.

Is there another option for knowning the “num_uses” value for a token?. We can open also a feature request at Github repo, we wanted to add a question before that.

For reproducing the issue, next app role can be used:

  vault write auth/approle/role/onetime-token \
        token_policies="apps" \
        secret_id_ttl=0 \
        token_num_uses=1 \
        token_ttl=10s \
        token_max_ttl=30s \


Created a feature request: