From 8355cf5b2e1f0c4beff2f669ca6d89b243f47aff Mon Sep 17 00:00:00 2001
From: Catherine Luse <catherine.luse@rancher.com>
Date: Thu, 1 Aug 2019 12:05:42 -0700
Subject: [PATCH] Explain how to invalidate API tokens

---
 content/rancher/v2.x/en/api/_index.md         |  2 ++
 .../rancher/v2.x/en/api/api-tokens/_index.md  | 29 +++++++++++++++++++
 2 files changed, 31 insertions(+)
 create mode 100644 content/rancher/v2.x/en/api/api-tokens/_index.md

diff --git a/content/rancher/v2.x/en/api/_index.md b/content/rancher/v2.x/en/api/_index.md
index 084287dc540..3d7fe582fa8 100644
--- a/content/rancher/v2.x/en/api/_index.md
+++ b/content/rancher/v2.x/en/api/_index.md
@@ -11,6 +11,8 @@ The API has its own user interface accessible from a web browser.  This is an ea
 
 API requests must include authentication information.  Authentication is done with HTTP basic authentication using [API Keys]({{< baseurl >}}/rancher/v2.x/en/user-settings/api-keys/). API keys can create new clusters and have access to multiple clusters via `/v3/clusters/`. [Cluster and project roles]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/) apply to these keys and restrict what clusters and projects the account can see and what actions they can take.
 
+By default, all cluster-level API tokens are generated with infinite time-to-live (`ttl=0`). In other words, API tokens never expire unless you invalidate them. For details on how to invalidate them, refer to the [API tokens page]({{<baseurl>}}/rancher/v2.x/en/api/api-tokens).
+
 ## Making requests
 
 The API is generally RESTful but has several features to make the definition of everything discoverable by a client so that generic clients can be written instead of having to write specific code for every type of resource.  For detailed info about the generic API spec, [see here](https://github.com/rancher/api-spec/blob/master/specification.md).
diff --git a/content/rancher/v2.x/en/api/api-tokens/_index.md b/content/rancher/v2.x/en/api/api-tokens/_index.md
new file mode 100644
index 00000000000..69d63e1cec4
--- /dev/null
+++ b/content/rancher/v2.x/en/api/api-tokens/_index.md
@@ -0,0 +1,29 @@
+---
+title: API Tokens
+weight: 1
+---
+
+By default, all cluster-level API tokens are generated with infinite time-to-live (`ttl=0`). In other words, API tokens never expire unless you invalidate them. Tokens are not invalidated by changing a password.
+
+You can deactivate API tokens by deleting them or by deactivating the user account.
+
+To delete a token,
+
+1. Go to the list of all tokens in the Rancher API view at `https://<Rancher-Server-IP>/v3/tokens`.
+
+1. Access the token you want to delete by its ID. For example, `https://<Rancher-Server-IP>/v3/tokens/kubectl-shell-user-vqkqt`
+
+1. Click **Delete.**
+
+Here is the complete list of tokens that are generated with `ttl=0`:
+
+| Token | Description |
+|-------|-------------|
+| `kubeconfig-*` | Kubeconfig token |
+| `kubectl-shell-*` | Access to `kubectl` shell in the browser |
+| `agent-*` | Token for agent deployment |
+| `compose-token-*` | Token for compose |
+| `helm-token-*` | Token for Helm chart deployment |
+| `*-pipeline*` | Pipeline token for project |
+| `telemetry-*` | Telemetry token |
+| `drain-node-*` | Token for drain (we use `kubectl` for drain because there is no native Kubernetes API) |