pbs_token_update
Update a PBS API token's metadata: change enable, expiry, comment; regenerate the secret with confirmation. Dry-run by default.
Instructions
MUTATION: update a PBS API token's metadata. Dry-run by default.
RISK IS CONDITIONAL: regenerate=False is MEDIUM (metadata-only); regenerate=True is HIGH — it issues a brand-new secret and invalidates the OLD one IMMEDIATELY, with no grace period, breaking any integration still using it. When regenerate=True, confirm=True's result carries the NEW secret ONCE (key 'secret') — same never-in-ledger contract as pbs_token_create: the detail dict passed to the audit ledger never contains it.
confirm=True executes and returns a dict; synchronous, no UPID. Needs PROXIMO_PBS_* config.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| digest | No | Optional SHA256 config digest to prevent concurrent modifications. | |
| enable | No | Whether the token is usable; False disables it immediately. Omit to leave unchanged. | |
| expire | No | Token expiry as a Unix timestamp; omit to leave unchanged. | |
| userid | Yes | Owning PBS user, format 'user@realm'. | |
| comment | No | Optional free-text comment; omit to leave unchanged. | |
| confirm | No | False (default) returns a dry-run PLAN preview; True executes the mutation. | |
| regenerate | No | If True, issue a BRAND-NEW secret and invalidate the old one immediately (RISK_HIGH — any system using the old token loses access instantly). | |
| token_name | Yes | Name of the API token to update. | |
| delete_props | No | Property names to clear: only 'comment' is supported by PBS on this endpoint. | |
| proximo_target | No | Which configured Proxmox target to run this call against — a target name from your multi-target config (a specific PVE/PBS/PMG/PDM box). Omit to use the single/default target from the environment; the selection applies only to this call. |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
| result | Yes |