# Obtain authentication tokens
The authentication tokens include two types: an access token and a refresh token.
* **Access token:** The access token is a short-lived token (five minutes) used for accessing the WEKA system API and to allow the mounting of secure filesystems.
* **Refresh token:** The refresh token is a long-lived token for obtaining an additional access token.
**Procedure**
Do one of the following:
* To obtain the refresh token and access token, **through the CLI**, log in to the system using the command: `weka user login`.
The system creates an authentication token file and saves it in: `~/.weka/auth-token.json`. The token file contains both the access token and refresh token.
* To obtain the refresh token and access token, **through the REST API,** use the `POST /login`. The API returns the token in the response body.
## Manage long-lived tokens for REST API usage
When working with the REST API, local users may require using a long-lived token (a token that doesn't require a refresh every 5 minutes).
As a local user, you can generate a long-lived token using the GUI or the CLI.
### Generate a long-live access token using the GUI
**Procedure**
1. From the signed-in user menu, select **API Token**.
2. In the Manage API Token dialog, select Generate token and set the expiration time. Then, select **Generate**.
Manage API Token
{% hint style="info" %}
**Note:** If you want to revoke all existing login tokens of the local user and refresh them, select **Revoke Tokens**.
{% endhint %}
3\. Copy the generated token and paste it to the REST API authorization dialog.
Generated token
The following demonstrates how to generate the API token and authorize it in the REST API.
Generate a long-lived token using the GUI example
### Generate a long-lived access token using the CLI
**Command:** `weka user generate-token [--access-token-timeout timeout]`
The default timeout is 30 days.
To revoke the access and refresh tokens, use the CLI command: `weka user revoke-tokens`.
