Vault can be accessed without root token (or any token)

So I have a vault with 3 unseal keys, 2 keys in combination will unseal the vault. Usually the authentication process is three step:
unseal with first unseal-key (vault operator unseal)
unseal with second second unseal-key (vault operator unseal)
login with a token (vault login)
But if I enter an empty string as a token during vault login, I can still access the secrets inside just fine (vault kv get). So I wonder if I made a configuration mistake, or this is a software bug or this is how the security supposed to be?

Is that when you login right after unsealing? If so I have no idea, but if it’s not your first time logging into that vault, your token might already be saved which would make you permanently logged in… But I’m new to this so idk for sure

Right, I login right after unsealing (why would I wait?). Yes it’s not the first time, but if the token already saved, then why the tool is asking for the token? I enter anything as a token, it report error, but I can still access to secrets inside the vault.

I meant the first time you unsealed it, never mind. Again, new to this, the only time I unsealed a vault was right after initialization

I think if you type vault login it will ask for a new token but not forget the old one, and if the token is invalid you stay logged in on your already saved token.
There is no automatic logout as far as I’m aware, hence this message we get every time after logging in:

Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Here’s what I would do to confirm that:
First do vault read auth/token/lookup-self.
Assuming the last valid token you logged in with was root, it probably returns

display_name        root
id                  [your root token]
path                auth/token/root
policies            [root]

among other things

Then log in a non-root account, for example
vault login -method=userpass username=[some username] password=[your password]
Do vault read auth/token/lookup-self again, it returns the corresponding id and policies,
Then do vault login again and enter a wrong token or nothing at all,
And vault read auth/token/lookup-self again. If I’m correct, it should still give you the info of the userpass user.

If all that happens, it just means you never “logged out” on that shell session or whatever.
I looked around a little and found it saves the token in your environment variables, you just need to unset VAULT_TOKEN to “log out” so to speak

Sorry for that overly long reply, hope it helped

I don’t think there is anything as VAULT_TOKEN being set to the shell. There is only VAULT_ADDR as the variable I set so the client can connect to the vault server

$ env | grep VAULT

The token helper (default behavior in the vault executable) will drop a token on the filesystem, not an environment variable.

Once authenticated, the CLI will store the generated token on disk in the ~/.vault-token file.