Create a token
Create API tokens using the InfluxDB user interface (UI), the influx
command line interface (CLI), or the InfluxDB API.
To follow best practices for secure API token generation and retrieval, InfluxDB enforces access restrictions on API tokens.
- Tokens are visible to the user who created the token.
- InfluxDB only allows access to the API token value immediately after the token is created.
- You can’t change access (read/write) permissions for an API token after it’s created.
- Tokens stop working when the user who created the token is deleted.
We recommend the following for managing your tokens:
- Create a generic user to create and manage tokens for writing data.
- Store your tokens in a secure password vault for future access.
- Manage tokens in the InfluxDB UI
- Create a token in the InfluxDB UI
- Create a token using the influx CLI
- Create a token using the InfluxDB API
Manage tokens in the InfluxDB UI
To manage InfluxDB API Tokens in the InfluxDB UI, navigate to the API Tokens management page.
In the navigation menu on the left, select Data (Load Data) > API Tokens.
Create a token in the InfluxDB UI
- From the API Tokens management page, click Generate and select a token type (Read/Write Token or All Access API Token).
- In the window that appears, enter a description for your token in the Description field.
- If generating a read/write token:
- Search for and select buckets to read from in the Read pane.
- Search for and select buckets to write to in the Write pane.
- Click Save.
Create a token using the influx CLI
InfluxDB 2.4 introduced a bug that prevents you from creating an all-access or operator token using the influx auth create command, and causes the following error: Error: could not write auth with provided arguments: 403 Forbidden: permission.
Until this bug is resolved in the next influx CLI release, please use the workaround below to create an all-access or operator token.
Workaround: To create an all-access or operator token
- Use the following command to create an all-access or operator token. For an operator token, you must also include the
--read-orgsand--write-orgsflags.
influx auth create
--org-id or --org \
--read-authorizations \
--write-authorizations \
--read-buckets \
--write-buckets \
--read-dashboards \
--write-dashboards \
--read-tasks \
--write-tasks \
--read-telegrafs \
--write-telegrafs \
--read-users \
--write-users \
--read-variables \
--write-variables \
--read-secrets \
--write-secrets \
--read-labels \
--write-labels \
--read-views \
--write-views \
--read-documents \
--write-documents \
--read-notificationRules \
--write-notificationRules \
--read-notificationEndpoints \
--write-notificationEndpoints \
--read-checks \
--write-checks \
--read-dbrp \
--write-dbrp \
--read-annotations \
--write-annotations \
--read-sources \
--write-sources \
--read-scrapers \
--write-scrapers \
--read-notebooks \
--write-notebooks \
--read-remotes \
--write-remotes \
--read-replications \
--write-replications
Create a token with specified read permissions
influx auth create \
--org my-org \
--read-bucket 03a2bbf46309a000 \
--read-bucket 3a87c03ace269000 \
--read-dashboards \
--read-tasks \
--read-telegrafs \
--read-user
See the influx auth create documentation for information about other available flags.
Create a token using the InfluxDB API
Use the /api/v2/authorizations InfluxDB API endpoint to create a token.
POST http://localhost:8086/api/v2/authorizations
Include the following in your request:
| Requirement | Include by |
|---|---|
API token with the write: authorizations permission | Use the Authorization header and the Bearer or Token scheme. |
| Organization | Pass as orgID in the request body. |
| Permissions list | Pass as a permissions array in the request body. |
INFLUX_ORG_ID=YOUR_ORG_ID
INFLUX_TOKEN=YOUR_API_TOKEN
curl -v --request POST \
http://localhost:8086/api/v2/authorizations \
--header "Authorization: Token ${INFLUX_TOKEN}" \
--header 'Content-type: application/json' \
--data '{
"status": "active",
"description": "iot-center-device",
"orgID": "'"${INFLUX_ORG_ID}"'",
"permissions": [
{
"action": "read",
"resource": {
"orgID": "'"${INFLUX_ORG_ID}"'",
"type": "authorizations"
}
},
{
"action": "read",
"resource": {
"orgID": "'"${INFLUX_ORG_ID}"'",
"type": "buckets"
}
},
{
"action": "write",
"resource": {
"orgID": "'"${INFLUX_ORG_ID}"'",
"type": "buckets",
"name": "iot-center"
}
}
]
}'
Create a token scoped to a user
To scope a token to a user other than the token creator, pass userID in the request
body.
######################################################
# The example below uses common command-line tools
# `curl`, `jq` with the InfluxDB API to do the following:
# 1. Create a user.
# 2. Find the new or existing user by name.
# 3. If the user exists:
# a. Build an authorization object with the user ID.
# b. Create the new authorization.
# c. Return the new token.
######################################################
INFLUX_ORG_ID=YOUR_ORG_ID
INFLUX_TOKEN=YOUR_API_TOKEN
function create_token_with_user() {
curl --request POST \
"http://localhost:8086/api/v2/users/" \
--header "Authorization: Token ${INFLUX_TOKEN}" \
--header 'Content-type: application/json' \
--data "{\"name\": \"$1\"}"
curl --request GET \
"http://localhost:8086/api/v2/users?name=$1" \
--header "Authorization: Token ${INFLUX_TOKEN}" \
--header 'Content-type: application/json' | \
jq --arg USER $1 '.users[0] // error("User missing")
| {
"orgID": "'"${INFLUX_ORG_ID}"'",
"userID": .id,
"description": $USER,
"permissions": [
{"action": "read", "resource": {"type": "buckets"}}
]
}' | \
curl --request POST \
"http://localhost:8086/api/v2/authorizations" \
--header "Authorization: Token ${INFLUX_TOKEN}" \
--header 'Content-type: application/json' \
--data @- | \
jq '.token'
}
create_token_with_user 'iot_user_1'
See the
POST /api/v2/authorizations documentation
for more information about options.
Was this page helpful?
Thank you for your feedback!
Support and feedback
Thank you for being part of our community! We welcome and encourage your feedback and bug reports for InfluxDB and this documentation. To find support, use the following resources:
InfluxDB Cloud and InfluxDB Enterprise customers can contact InfluxData Support.