Leases

Summary: Every dynamic secret and service token gets a lease — TTL + renewability metadata. When the lease expires (or is revoked) OpenBao tears down whatever the secret represented.

Sources: raw/docs/concepts/lease.md.

Last updated: 2026-05-19

What a lease is

Metadata wrapping a secret: a lease_id, a duration (TTL), and a renewable flag. OpenBao guarantees the secret’s validity for that TTL and revokes at expiry. All dynamic secrets must carry a lease, even when nominally permanent, so consumers are forced to check in (source: raw/docs/concepts/lease.md).

What carries a lease

All dynamic secrets engines: databases, PKI, SSH, Kubernetes, cloud creds, etc.
All service-type tokens (see tokens).
Not the KV engine — it returns no lease (source: raw/docs/concepts/lease.md).

Renewal

bao lease renew -increment=3600 <lease_id> requests a new TTL counted from now, not from current expiry. The backend can ignore or cap the increment — inspect the returned lease (source: raw/docs/concepts/lease.md).

Revocation

Manual: bao lease revoke <lease_id>, the UI, or the API. Automatic: at TTL expiry, or transitively when the parent token is revoked.

Prefix-based revocation: lease IDs are structured so their prefix is the originating path. bao lease revoke -prefix auth/userpass/ revokes every secret minted via that mount — useful for incident response (source: raw/docs/concepts/lease.md).

Lifetime watcher

The OpenBao Go SDK exposes a LifetimeWatcher that handles renew-or-relogin loops; the canonical example is in raw/docs/concepts/auth.md. The OpenBao Agent does this same job out-of-process for applications that don’t speak the API natively.

tokens — service tokens are leased too
secrets — dynamic engines own the lease lifecycle of their secrets
agent-and-proxy — agent renews leases on behalf of apps