---
title: Create a token
description: Create an API token in InfluxDB using the InfluxDB UI, the influx CLI, or the InfluxDB API.
url: https://docs.influxdata.com/influxdb/v2/admin/tokens/create-token/
estimated_tokens: 5098
product: InfluxDB OSS v2
version: v2
---

# Create a token

This page documents an earlier version of InfluxDB OSS. [InfluxDB 3 Core](/influxdb3/core/) is the latest stable version.

#### API token hashing is enabled by default in InfluxDB OSS 2.9.0

Stronger token security: tokens are stored as hashes on disk, so a copy of the database file doesn’t expose usable tokens. Existing tokens are hashed on first startup and the original strings can’t be recovered afterward — **capture any plaintext tokens you still need before you upgrade**.

For more information, see [Token hashing](/influxdb/v2/admin/tokens/#token-hashing).

Create API tokens using the InfluxDB user interface (UI), the `influx` command line interface (CLI), or the InfluxDB API.

To follow best practices for secure API token generation and retrieval, InfluxDB enforces access restrictions on API tokens.

-   Tokens are visible to the user who created the token.
-   InfluxDB only allows access to the API token value immediately after the token is created.
-   You can’t change access (**read/write**) permissions for an API token after it’s created.
-   Tokens stop working when the user who created the token is deleted.

**We recommend the following for managing your tokens:**

-   Create a generic user to create and manage tokens for writing data.
-   Store your tokens in a secure password vault for future access.

-   [Manage tokens in the InfluxDB UI](#manage-tokens-in-the-influxdb-ui)
-   [Create a token in the InfluxDB UI](#create-a-token-in-the-influxdb-ui)
-   [Create a token using the influx CLI](#create-a-token-using-the-influx-cli)
-   [Create a token using the InfluxDB API](#create-a-token-using-the-influxdb-api)

## Manage tokens in the InfluxDB UI

To manage InfluxDB API Tokens in the InfluxDB UI, navigate to the **API Tokens** management page.

In the navigation menu on the left, select **Data (Load Data)** > **API Tokens**.

Load Data

## Create a token in the InfluxDB UI

1. From the [API Tokens management page](#manage-tokens-in-the-influxdb-ui), click **Generate** and select a token type (**Read/Write Token** or **All Access API Token**).
2. In the window that appears, enter a description for your token in the **Description** field.
3. If generating a **read/write token**:
    -   Search for and select buckets to read from in the **Read** pane.
    -   Search for and select buckets to write to in the **Write** pane.
4. Click **Save**.

## Create a token using the influx CLI

Use the [`influx auth create` command](/influxdb/v2/reference/cli/influx/auth/create) to create a token. Include flags with the command to grant specific permissions to the token. See the [available flags](/influxdb/v2/reference/cli/influx/auth/create#flags). Only tokens with the `write: authorizations` permission can create tokens.

```sh
# Syntax
influx auth create -o <org-name> [permission-flags]
```

### Examples

#### Create an All Access token

Create an All Access token to grant permissions to all resources in an organization.

```sh
influx auth create \
  --org my-org \
  --all-access
```

#### Create an operator token

Create an operator token to grant permissions to all resources in all organizations.

```sh
influx auth create \
  --org my-org \
  --operator
```

To [view or create an operator token](/influxdb/v2/admin/tokens/create-token/) with the InfluxDB UI, `api/v2` API, or `influx` CLI after the setup process is completed, you must use an existing operator token.

To create a new operator token without using an existing one, see how to use the [`influxd recovery auth`](/influxdb/v2/reference/cli/influxd/recovery/auth/) CLI.

#### Create a token with specified permissions

##### Create a token with specified read permissions

```sh
influx auth create \
  --org my-org \
  --read-bucket 03a2bbf46309a000 \
  --read-bucket 3a87c03ace269000 \
  --read-dashboards \
  --read-tasks \
  --read-telegrafs \
  --read-user
```

##### Create a token scoped to a user and with specified read and write permissions

```sh
influx auth create       \
  --org ORG_NAME         \
  --user USERNAME        \
  --read-authorizations  \
  --write-authorizations \
  --read-buckets         \
  --write-buckets        \
  --read-dashboards      \
  --write-dashboards     \
  --read-tasks           \
  --write-tasks          \
  --read-telegrafs       \
  --write-telegrafs      \
  --read-users           \
  --write-users
```

See the [`influx auth create` documentation](/influxdb/v2/reference/cli/influx/auth/create) for information about other available flags.

## Create a token using the InfluxDB API

Use the `/api/v2/authorizations` InfluxDB API endpoint to create a token.

[POST http://localhost:8086/api/v2/authorizations](/influxdb/v2/api/authorizations-api-tokens/)

Include the following in your request:

| Requirement | Include by |
| --- | --- |
| API token with the write: authorizations permission | Use the Authorization header and the Bearer or |
| Token scheme. |  |
| Organization | Pass as orgID in the request body. |
| Permissions list | Pass as a permissions array in the request body. |

```sh
INFLUX_ORG_ID=YOUR_ORG_ID
INFLUX_TOKEN=YOUR_API_TOKEN

curl -v --request POST \
  http://localhost:8086/api/v2/authorizations \
  --header "Authorization: Token ${INFLUX_TOKEN}" \
  --header 'Content-type: application/json' \
  --data '{
  "status": "active",
  "description": "iot-center-device",
  "orgID": "'"${INFLUX_ORG_ID}"'",
  "permissions": [
    {
      "action": "read",
      "resource": {
        "orgID": "'"${INFLUX_ORG_ID}"'",
        "type": "authorizations"
      }
    },
    {
      "action": "read",
      "resource": {
        "orgID": "'"${INFLUX_ORG_ID}"'",
        "type": "buckets"
      }
    },
    {
      "action": "write",
      "resource": {
        "orgID": "'"${INFLUX_ORG_ID}"'",
        "type": "buckets",
        "name": "iot-center" 
      }
    }
  ]
}'
```

### Create a token scoped to a user

To scope a token to a user other than the token creator, pass the `userID` property in the request body.

```sh
######################################################
# The example below uses common command-line tools 
# `curl`, `jq` with the InfluxDB API to do the following:
# 1. Create a user.
# 2. Find the new or existing user by name.
# 3. If the user exists:
#   a. Build an authorization object with the user ID.
#   b. Create the new authorization.
#   c. Return the new token.
######################################################

INFLUX_ORG_ID=YOUR_ORG_ID
INFLUX_TOKEN=YOUR_API_TOKEN

function create_token_with_user() {
  curl --request POST \
    "http://localhost:8086/api/v2/users/" \
    --header "Authorization: Token ${INFLUX_TOKEN}" \
    --header 'Content-type: application/json' \
    --data "{\"name\": \"$1\"}"
  
  curl --request GET \
    "http://localhost:8086/api/v2/users?name=$1" \
    --header "Authorization: Token ${INFLUX_TOKEN}" \
    --header 'Content-type: application/json' | \
  
  jq --arg USER $1 '.users[0] // error("User missing")
    | {
        "orgID": "'"${INFLUX_ORG_ID}"'",
        "userID": .id,
        "description": $USER,
        "permissions": [
           {"action": "read", "resource": {"type": "buckets"}}
         ]
      }' | \
  
  curl --request POST \
    "http://localhost:8086/api/v2/authorizations" \
    --header "Authorization: Token ${INFLUX_TOKEN}" \
    --header 'Content-type: application/json' \
    --data @- | \
  
  jq '.token'
}

create_token_with_user 'iot_user_1'
```

See the [`POST /api/v2/authorizations` documentation](/influxdb/v2/api/authorizations-api-tokens/) for more information about options.