Use the remint-all command to generate a new service account keypair and remint all stored service account tokens for the profile in a single atomic operation.

The remint-all command is essential for maintaining security by:
  • Ensuring every consumer token is re-signed after key compromise or routine rotation.
  • Preserving token attributes, such as name, client_id, scopes, days, and issuer unless manually edited.

Behavior summary

When executed, the remint-all command performs the following actions:
  • Creates a fresh private and public key pair under the sa directory. The previous keys are overwritten after a successful remint.
  • Iterates through the profile.json.sa_tokens[] array and re-mints each token using the preserved metadata.
  • Updates the timestamp if it is present in the profile.
  • Maintains the primary token in the client/mcp.json file.

Exit status condition

The command returns the following exit status conditions:
  • Returns a non-zero exit status if any token fails to remint.
  • If there are partial failures, the old key pair and tokens remain intact because the operation is designed to be all or nothing.

Use cases

Use the following commands based on the specific scenario:
Scenario Command
Adjust scopes on primary token only sa-token --set-primary
Key compromise suspected remint-all
Quarterly organization-wide key rotation remint-all
Need to extend primary token lifetime sa-token --set-primary
Add a brand-new token for a new client sa-token