---
layout: commands
page_title: 'Commands: ACL Token Read'
---

# Consul ACL Token Read

Command: `consul acl token read`

Corresponding HTTP API Endpoint: [\[GET\] /v1/acl/token/:AccessorID](/api-docs/acl/tokens#read-a-token)

The `acl token read` command reads and displays a token details.

The table below shows this command's [required ACLs](/api-docs/api-structure#authentication). Configuration of
[blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint.

| ACL Required |
| ------------ |
| `acl:read`   |

## Usage

Usage: `consul acl token read [options] [args]`

#### Command Options

- `-id=<string>` - The ID of the policy to read. It may be specified as a unique ID
  prefix but will error if the prefix matches multiple policy IDs.

- `-meta` - Indicates that policy metadata such as the content hash and raft
  indices should be shown for each entry.

- `-self` - Indicates that the current HTTP token should be read by secret ID
  instead of expecting a -id option.

- `-expanded` - Indicates that the contents of the policies and roles affecting
  the token should also be shown.

- `-format={pretty|json}` - Command output format. The default value is `pretty`.

#### Enterprise Options

@include 'http_api_partition_options.mdx'

@include 'http_api_namespace_options.mdx'

#### API Options

@include 'http_api_options_client.mdx'

@include 'http_api_options_server.mdx'

## Examples

Get token details:

```shell-session
$ consul acl token read -id 986
AccessorID:   986193b5-e2b5-eb26-6264-b524ea60cc6d
SecretID:     ec15675e-2999-d789-832e-8c4794daa8d7
Description:  Read Nodes and Services
Local:        false
Create Time:  2018-10-22 15:33:39.01789 -0400 EDT
Policies:
   06acc965-df4b-5a99-58cb-3250930c6324 - node-services-read
```

Get token details using the token secret ID:

```shell
$consul acl token read -self
AccessorID:   4d123dff-f460-73c3-02c4-8dd64d136e01
SecretID:     86cddfb9-2760-d947-358d-a2811156bf31
Description:  Bootstrap Token (Global Management)
Local:        false
Create Time:  2018-10-22 11:27:04.479026 -0400 EDT
Policies:
   00000000-0000-0000-0000-000000000001 - global-management
```

Get token details (Builtin Tokens)

```shell-session
$ consul acl token read -id anonymous
AccessorID:   00000000-0000-0000-0000-000000000002
SecretID:     anonymous
Description:  Anonymous Token
Local:        false
Create Time:  0001-01-01 00:00:00 +0000 UTC
Policies:
```

Get token details (Expanded)

```shell-session
$ consul acl token read -expanded -id 986
AccessorID:   986193b5-e2b5-eb26-6264-b524ea60cc6d
SecretID:     ec15675e-2999-d789-832e-8c4794daa8d7
Description:  Read Nodes and Services
Local:        false
Create Time:  2018-10-22 15:33:39.01789 -0400 EDT
Policies:
	Policy Name: foo
		ID: beb04680-815b-4d7c-9e33-3d707c24672c
		Description: user policy on token
		Rules:
			service_prefix "" {
			  policy = "read"
			}

	Policy Name: bar
		ID: 18788457-584c-4812-80d3-23d403148a90
		Description: other user policy on token
		Rules:
			operator = "read"

=== End of Authorizer Layer 0: Token ===
=== Start of Authorizer Layer 2: Agent Configuration Defaults (Inherited) ===
Description: Defined at request-time by the agent that resolves the ACL token; other agents may have different configuration defaults
Resolved By Agent: "leader"

Default Policy: allow
	Description: Backstop rule used if no preceding layer has a matching rule (refer to default_policy option in agent configuration)

Down Policy: deny
	Description: Defines what to do if this Token's information cannot be read from the primary_datacenter (refer to down_policy option in agent configuration)
```