op cli + 1password connect 141 vault limit on create token

[hortonew]

Works:
op connect token create "token_with_141_vaults" --server "your_server_id" --expires-in 1h --vault vault1 --vault vault2 ... --vault vault141

Doesn't work:
op connect token create "token_with_142_vaults" --server "your_server_id" --expires-in 1h --vault vault1 --vault vault2 ... --vault vault142

Error

[ERROR] 2023/10/03 10:58:37 failed to RegisterToken: "Validation: (400) (Bad Request), The structure of request was invalid.

Tested on versions of op cli from v2.6.0 through the latest v2.21.0 and it's been a problem consistently for the past year.

[edif2008]

Hey @hortonew,

What you're encountering here is that your request would generate a Connect token that is over the allowed maximum size. In general a Connect token can have permissions up to 100 vaults. This limit is in place to ensure that the size of the token isn't too large, specifically 8KB. This is based on the recommended size of JWT tokens:

Note that if you send JWT tokens through HTTP headers, you should try to prevent them from getting too big. Some servers don't accept more than 8 KB in headers.

With 141 vaults or more, your Connect token would be over 8KB, which you would no longer be able to use when interacting with Connect due to it being too large.

An alternative solution to this is to create separate tokens that access subsets of the vaults the Connect server can access.