Pre-authorize sessions

In the standard workflow Boundary performs authorization when you attempt to connect to a target. However, you can pre-authorize a session and connect to it later using an authorization token. Using an authorization token can save time and reduce API calls.

Separating authorization from the connection process can also improve security. If you issue authorization tokens to your users, it prevents them from having to know or manage connection information.

Complete the following steps to pre-authorize a session:

1. Log in to Boundary.

2. Use the following command and provide the target ID and host ID for the target you want to pre-authorize a session to:

   $ boundary targets authorize-session -id <TARGET_ID> -host-id <HOST_ID>
   

   Boundary issues an authorization token like the example below:

      Target information:
        Authorization Token:
        3vYggdcgyASTqU5dvh8vXLkohH9e3PzPyLLoZUXaVFFu4kDFSjoMDx5SzH5X7yjNdF4K6SkVxhAKjhK3fFufFUs7GUxfMVsPC6YdA6gp57FqzGSogRVjGpi4LtsqgedE4GpHzfkV3bYkz8YxqLbpBRV4ZtPSmvtvTxJZtLXZLSzpeWvJdB2r5Gq7uhqEe81aMUZKEZcwd5TpS79VwKnD3USyw9mdo7SNbe32G6Vru3BMgQRk5KYX7QUNJUCUVAzmMp9m2G7jDpzZUW7dyvq58rpYwGGVZYRjuwF87KN3i34o6oJ7kUSYr1vvd58JjVzsWncEpAGMxyt9RcHd4vKgDyYbV5gdHHfKdMyDBB7NFAXXzRjCXeF8k7yFZ2rT973dBBpN4GyGcF1Xq9YfMRAE2QTXC9noJ2zdadruQoWZRsRpWm3mdLbiXWXE4AtGkTG6eyQ2bgyBK8BmZk3k4AJrkzpMAcSd8NfCcAFaPnvpGZgAMMBz2sZJ6CBahxeW1A55ccqBVgT95ZL77wBA57Pmia4Hfz38KpbeTtwDBK6CuW16C1aRGnwzajwsFeYSL4vJgLfDhJvjkfKK5mLwYJtcp2gVqxbQMZvDSqGXM1TQHC8g74JfpxLE6oQEBZ7yjGWT32zd4kaQufceN7biiZAJSiVqxPGpRGfgMcW4ZLTq8DALWtviA1p4aFJETzedDoJ4c16wnL2GoHgHtsT7xUjZvKq7v659Psg55iKgNQmrt2ubHoU3GcLK54UQ7ho27wMZdPgSu6Xv2nUjcG7f6CaaDkYgCKTq1b
        Created Time:          Tue, 31 Mar 2026 17:26:33 MST
        Endpoint:              tcp://127.0.0.1:16001
        Host ID:               hst_DHei2VpkBH
        Scope ID:              p_VF6GGqKxMz
        Session ID:            s_mraN5QJr7t
        Target ID:             ttcp_wtXnow8Krb
        Type:                  tcp
        User ID:               u_1234567890
   

3. Copy the authorization token.

4. When you are ready to connect to the target for which you pre-authorized a session, use the following command and provide the authorization token value:

   $ boundary connect -authz-token <AUTHZ_TOKEN>
   

   Boundary then connects to the target and establishes the pre-authorized session.

More information

• To better understand sessions, refer to Overview of sessions.
• For more specific information about how the session resource relates to other Boundary resources, refer to the Sessions domain model topic.
• To view the possible session parameters, refer to the session CLI or API documentation.

Next steps

• View session information including the session ID, user who initiated the session, target name, start date, and session status.
• Cancel a session if you no longer need it or detect unexpected activity.