Documentation

Configure authentication

To configure authentication, do one of the following:

Enable authentication

Authentication is disabled by default in InfluxDB and InfluxDB Enterprise. After installing the data nodes, enable authentication to control access to your cluster.

To enable authentication in a cluster, do the following:

  1. Set auth-enabled to true in the [http] section of the configuration files for all meta and data nodes:
    [http]
      # ...
      auth-enabled = true
    
  2. Next, create an admin user (if you haven’t already). Using the influx CLI, run the following command:
    CREATE USER admin WITH PASSWORD 'mypassword' WITH ALL PRIVILEGES
    
  3. Restart InfluxDB Enterprise. Once restarted, InfluxDB Enterprise checks user credentials on every request and only processes requests with valid credentials.

Configure authentication using JWT tokens

For a more secure alternative to using passwords, include JWT tokens in requests to the InfluxDB API.

  1. Add a shared secret in your InfluxDB Enterprise configuration file.

    InfluxDB Enterprise uses the shared secret to encode the JWT signature. By default, shared-secret is set to an empty string (no JWT authentication). Add a custom shared secret in your InfluxDB configuration file for each meta and data node. Longer strings are more secure:

    [http]
    shared-secret = "my super secret pass phrase"
    

    Alternatively, to avoid keeping your secret phrase as plain text in your InfluxDB configuration file, set the value with the INFLUXDB_HTTP_SHARED_SECRET environment variable (for example, in Linux: export INFLUXDB_HTTP_SHARED_SECRET=MYSUPERSECRETPASSPHRASE).

  2. Generate your JWT token.

    Use an authentication service (such as, https://jwt.io/) to generate a secure token using your InfluxDB username, an expiration time, and your shared secret.

    The payload (or claims) of the token must be in the following format:

    {
        "username": "myUserName",
        "exp": 1516239022
    }
    

    To encode the payload using your shared secret, use a JWT library in your own authentication server or encode by hand at https://jwt.io/.

  3. Include the token in HTTP requests.

    Include your generated token as part of the Authorization header in HTTP requests:

    Authorization: Bearer <myToken>
    

    Only unexpired tokens will successfully authenticate. Verify your token has not expired.

Example query request with JWT authentication

curl -G "http://localhost:8086/query?db=demodb" \
  --data-urlencode "q=SHOW DATABASES" \
  --header "Authorization: Bearer <header>.<payload>.<signature>"

Authentication and authorization HTTP errors

Requests with no authentication credentials or incorrect credentials yield the HTTP 401 Unauthorized response.

Requests by unauthorized users yield the HTTP 403 Forbidden response.

Next steps

After configuring authentication, you can manage users and permissions as necessary.

Important
Authentication must be enabled before authorization can be managed. If authentication is not enabled, permissions will not be enforced.


Set your InfluxDB URL

Upgrade to InfluxDB Cloud or InfluxDB 2.0!

InfluxDB Cloud and InfluxDB OSS 2.0 ready for production.