Why would the trusted entity need to wrapp the secret id in approle authentication?


I am learning about vault and approles, I have been reading this tutorial AppRole Pull Authentication | Vault - HashiCorp Learn and I don’t understand the reason the trusted entity wraps the token

vault write -wrap-ttl=60s -force auth/approle/role/jenkins/secret-id

The reason I ask is that the documentation also says we can restrict the token_ttl in the role so aren’t -wrappt-ttl and token_ttl trying to solve the same problem? why do we need to use both?

thank you very much