1. Worf User Guide
    1. Prerequisites
    2. Start
    3. Generate Configuration from standalone template
    4. Save defaults (uuid, application name)
    5. Encode token
    6. Decode token
    7. Quit


Worf is deprecated since Warp 10 2.1.0

From 2.1.0 version, refer to the TOKENGEN command. TOKENGEN and TOKENDUMP within WarpScript allow greater flexibility and automation.

This page is here for previous Warp 10 revisions.

If you use Worf command line in your scripts (i.e. ./warp10-standalone-2.1.0.sh worf appName ttl(ms)), you can always use it with Warp 10 2.1.0 multiple configurations files. You need to move or copy the warp.aes.* and warp.hash.* keys from your etc/conf.d/.conf to a new file etc/conf.d/00-secrets.conf. This method will work, but is not supported.

Worf User Guide

Used to generate read/write Warp 10s tokens.


  • JVM 1.7 or upper
  • Warp 10 full Jar
  • Warp 10 configuration file


Launch Worf with this command line.

$ java -cp warp-full-<revision name>.jar io.warp10.worf.Worf  -i <path to Warp10 configuration file>

Worf loads the Warp 10 configuration file and extracts hash and AES keys necessary for token delivery

  • Use <Tab> for the complete list of commands.
  • Use <Up or Down> for the commands history.

Two mode are available

  • interactive mode ( -i), prompts the user on the command line
  • scripting mode (default), all parameters should be set on the command line.

Generate Configuration from standalone template

java -cp warp-full-<revision name>.jar io.warp10.worf.Worf  -i /path/to/warp10.conf

Worf loads the Warp 10 standalone template, generates hash and AES keys, writes it by default at the same path.

Save defaults (uuid, application name)

If you generate a configuration file and tokens in the same command (io.warp10.worf.Worf -t -a <name> -ttl 10000000 -puidg <template>) Worf can save a default configuration (..worf) at the same path. It contains:

  • the producer uuid
  • the owner uuid
  • the application name

These values are taken by default, with the interactive or scripting mode.

Encode token

You can encode tokens with the encodeToken command or -t option. You have to enter this following fields:

  1. token type (read or write)
  2. application name
  3. producer UUID
  4. owner UUID (enter for use producer UUID as Owner)
  5. time to live (in milliseconds)
  6. encode or cancel

You will have the following output

application name=test.application.name
producer & owner=4430fb04-ba03-11e5-ae25-535a84589344 & 4430fb04-ba03-11e5-ae25-535a84589344

You can use this token immediately on fetch, update or delete endpoints. The token identifier can be used for revoke this token by adding it inside a TRL (token revocation list)

Decode token

You can decode and print token properties (only available in interactive mode). You also can convert write tokens into read token with strictly the same properties (validity, application, owner & producer uuids).


No command history is stored by Worf.


Since Warp 10 1.2.2, a new TokenGen Worf command exists which uses the TOKENGEN function from io.warp10.script.ext.token.TokenWarpScriptExtension.

The TOKENGEN function only useable from Worf (needs a KeyStore).

Tokens are described as a WarpScript map.

it will execute the WarpScript code from in.mc2 and outputs the stack as JSON to out.json:

$ java -cp warp-full-<revision name>.jar io.warp10.worf.TokenGen /path/to/warp10.conf in.mc2 out.json

Example of in.mc2

  'id' 'nameoftoken'  // for bookkeeping purposes
  'type' 'READ'       // or 'WRITE'
  'application' 'app' // Name of applications for this token
  'owner' 'UUID'      // UUID of the data owner for WRITE tokens or the billed user for READ tokens
  'issuance' NOW 1 ms /      // Time of token issuance (in ms since the Unix Epoch)
  'expiry' NOW 30 d + 1 ms / // Time of token expiry (in ms since the Unix Epoch)
  'ttl' 300 d 1 ms /         // Time To Live of the token, use if not using 'expiry' (in ms since the Unix Epoch)
  'labels' {}         // Map of token labels
  'attributes' {}     // Map of token attributes
  // The following keys are only for READ tokens, can be omitted, the token is then considered a WildCard token.
  'owners' [ /* List of UUIDs */ ]
  'producers' [ /* List of UUIDs */ ]
  'applications' [ /* List of application names or regexps (if more than one) */ ]
  // The following key is only for WRITE tokens and is mandatory.
  'producer' 'UUID' // UUID of the data producer

Example of out.json

  "id": "nameoftoken",   // Value of the ‘id’ field from the TOKENGEN parameter map
  "token": "..." ,       // Encoded token
  "ident": "hhhhhhhhhhhhhhhh" // TokenIdent, for use in Token Revocation List

Can use - for stdin / stdout:

$ java -cp warp-full-<revision name>.jar io.warp10.worf.TokenGen /path/to/warp10.conf - -