费米实验室是第一家从X.509用户证书转向生产系统中认证令牌的高能物理研究机构。费米实验室托管的所有实验现在都在其网格作业中使用JSON Web Token (JWT)访问令牌。为了实现这一转变，许多软件组件已被更新或创建，其中大部分软件已作为开源提供给其他人。这些令牌按照WLCG通用JWT配置文件定义，所有令牌的属性存储在费米实验室的FERRY系统中，该系统生成CILogon令牌发行方的配置。高安全价值的刷新令牌存储在由htvault-config配置的Hashicorp Vault中，而JWT访问令牌通过htgettoken客户端与其HTCondor集成请求获取。费米实验室的作业提交系统jobsub被重新设计为HTCondor的一个轻量级包装器。基于HTCondor的网格工作负载管理系统GlideinWMS也进行了更新，以使用令牌进行飞行员作业提交。对于自动化作业提交，创建了一个受管理的令牌服务，以减少重复工作和对如何安全地保持令牌活动的知识需求。现有的费米实验室文件传输工具ifdh以及用于管理和自动作业提交的POMS（生产操作管理系统）和用于通过CernVM文件系统分发分析代码的RCDS（快速代码分发系统）都已更新，以无缝支持令牌。dCache存储系统重新配置为接受令牌进行身份验证，而不是X.509代理证书。由于某些服务和站点尚未实现令牌支持，作业仍会携带代理证书以确保向后兼容，但一些实验已经开始逐步停止使用它们。

Fermilab is the first High Energy Physics institution to transition from X.509 user certificates to authentication tokens in production systems. All the experiments that Fermilab hosts are now using JSON Web Token (JWT) access tokens in their grid jobs. Many software components have been either updated or created for this transition, and most of the software is available to others as open source. The tokens are defined using the WLCG Common JWT Profile. Token attributes for all the tokens are stored in the Fermilab FERRY system which generates the configuration for the CILogon token issuer. High security-value refresh tokens are stored in Hashicorp Vault configured by htvault-config, and JWT access tokens are requested by the htgettoken client through its integration with HTCondor. The Fermilab job submission system jobsub was redesigned to be a lightweight wrapper around HTCondor. The grid workload management system GlideinWMS which is also based on HTCondor was updated to use tokens for pilot job submission. For automated job submissions a managed tokens service was created to reduce duplication of effort and knowledge of how to securely keep tokens active. The existing Fermilab file transfer tool ifdh was updated to work seamlessly with tokens, as well as the Fermilab POMS (Production Operations Management System) which is used to manage automatic job submission and the RCDS (Rapid Code Distribution System) which is used to distribute analysis code via the CernVM FileSystem. The dCache storage system was reconfigured to accept tokens for authentication in place of X.509 proxy certificates. As some services and sites have not yet implemented token support, proxy certificates are still sent with jobs for backwards compatibility, but some experiments are beginning to transition to stop using them.