What will happen if we lost the token which we were using in our application?

Hello Team,
I am new in Vault and exploring it. I have setup 3 node vault cluster uisng ETCD storage (3 node for it as well) and successfully explore the Auto unseal also using AWS KMS.

Some question arise in my mind and able to found the answer of them e.g:

  1. We can generate new token with read-only permission and we can use them in our application.
  2. We should never use root token.
  3. If we lost the root token but have unseal key then we can generate new root token if required.
  4. If we lost root token and unseal key also then we can’t do anything. With unseal key we can’t unseal vault.

But I have one more question and didn’t found the answer. Can you please help me?

Q. Let suppose we lost the token (read/write permission) which we are using in our application but we can generate new token using useal key. Can we read old data which was created using old token?

My question might not be valid or good, sorry for that in advance.

Thank You

You must have an “operator” policy. This operator (human) must have some permissions to write policies and operate on auth backends.
If you loose a token, the operator can generate a new one.

PS: consider using Approle for apps authentication