You’re confusing terms here.
An unseal key, is a shard of your master key, and do not expire. Make sure you have your set of keys available. A good idea is to re-key the instance (rotate the unseal keys) but let’s leave that until you’re more comfortable with the setup.
A token is a just the result of a valid authentication to the system. All user tokens have a TTL (time-to-live) and expire. Tokens are provided as part of a request to the instance to prove that you’re authenticated and allowed to request the information you want.
To create a new token, you need a couple of items:
- A way to authenticate yourself
- What policies the token should get.
As far how to authenticate, This can be userpass, LDAP, or OIDC by default (and most common). If you don’t have any of these, there is the “root” token which does not expire and has full access to the instance. Common practice is not to leave the root token laying around and revoke it.
If you don’t have a way to authenticate, nor do you have your root token you can generate a new root token using your unseal keys, the number of keys you need depends on how the environment was setup.
# vault status
Total Shares .......... 5
Threshold ............. 3
Tells you that there are 5 keys in the set, but you only need 3 out of 5 to be able to unseal or generate a new root token.