---
title: Create a database token
description: Use the Admin UI, the influxctl token create command, or the Management HTTP API to create a database token for reading and writing data in your InfluxDB Cloud Dedicated cluster. Provide a token description and permissions for databases.
url: https://docs.influxdata.com/influxdb3/cloud-dedicated/admin/tokens/database/create/
estimated_tokens: 14409
product: InfluxDB Cloud Dedicated
version: cloud-dedicated
---

# Create a database token

Use the Admin UI, the [`influxctl` CLI](/influxdb3/cloud-dedicated/reference/cli/influxctl/), or the [Management HTTP API](/influxdb3/cloud-dedicated/api/management/) to create a [database token](/influxdb3/cloud-dedicated/admin/tokens/database/) with permissions for reading and writing data in your InfluxDB Cloud Dedicated cluster.

<!-- Tabbed content: Select one of the following options -->

**Admin UI:**

The InfluxDB Cloud Dedicated administrative UI includes a portal for creating and managing database tokens.

Access the InfluxDB Cloud Dedicated Admin UI at [console.influxdata.com](https://console.influxdata.com). If you don’t have login credentials, [contact InfluxData support](https://support.influxdata.com).

In the Database Tokens portal, click the **New Database Token** button. The **Create Database Token** dialog displays.

![Create database token dialog](/img/influxdb3/cloud-dedicated-admin-ui-create-database-token.png)

8. Add a token description. The description is used to identify the token in the list of tokens.
9. To create a token that expires, enable the **Expiration** toggle, and then select the expiration date and time.
10. Set the token permissions:
    -   Select the database or **All Databases** for the permission
    -   Use the **Read** and **Write** buttons under **Actions** to toggle these permissions on or off for the selected database.
11. Click the **Create Token** button. The dialog displays the **Token secret** string and the description you provided.

**influxctl:**

Use the [`influxctl token create` command](/influxdb3/cloud-dedicated/reference/cli/influxctl/token/create/) to create a token that grants access to databases in your InfluxDB Cloud Dedicated cluster.

1. If you haven’t already, [download and install the `influxctl` CLI](/influxdb3/cloud-dedicated/reference/cli/influxctl/#download-and-install-influxctl), and then [configure an `influxctl` connection profile](/influxdb3/cloud-dedicated/reference/cli/influxctl/#configure-connection-profiles) for your cluster.
    
2. In your terminal, run the `influxctl token create` command and provide the following:
    
    -   Token permissions (read and write)
        
        -   `--read-database`: Grants read permissions to the specified database. Repeatable.
        -   `--write-database`: Grants write permissions to the specified database. Repeatable.
        
        Both of these flags support the `*` wildcard which grants read or write permissions to all databases. Enclose wildcards in single or double quotes–for example: `'*'` or `"*"`.
        
    -   *Optional*: the `--expires-at` flag with an RFC3339 date string that defines the token expiration date and time–for example, `<span class="current-date nowrap" offset="1" trim-time="false">2026-05-13T00:00:00Z</span>`. If an expiration isn’t set, the token does not expire until revoked.
        
    -   Token description
        

```sh
influxctl token create \
  --read-database DATABASE_NAME \
  --write-database DATABASE_NAME \
  --expires-at RFC3339_TIMESTAMP \
  "Read/write token for DATABASE_NAME"
```

Replace the following:

-   `DATABASE_NAME`: your InfluxDB Cloud Dedicated [database](/influxdb3/cloud-dedicated/admin/databases/)
-   `RFC3339_TIMESTAMP`: the token expiration date and time in [RFC3339 format](/influxdb3/cloud-dedicated/reference/glossary/#rfc3339-timestamp).

The output is the token ID and the token string. **This is the only time the token string is available in plain text.**

**Management API:**

*This example uses [cURL](https://curl.se/) to send a Management HTTP API request, but you can use any HTTP client.*

1. If you haven’t already, follow the instructions to [install cURL](https://everything.curl.dev/install/index.html) for your system.
    
2. In your terminal, use cURL to send a request to the following InfluxDB Cloud Dedicated endpoint:
    
    [POST https://console.influxdata.com/api/v0/accounts/ACCOUNT\_ID/clusters/CLUSTER\_ID/tokens](/influxdb3/cloud-dedicated/api/database-tokens/#operation/CreateDatabaseToken)
    
    In the URL, provide the following credentials:
    
    -   `ACCOUNT_ID`: The ID of the [account](/influxdb3/cloud-dedicated/get-started/setup/#request-an-influxdb-cloud-dedicated-cluster) that the cluster belongs to *(see how to [list cluster details](/influxdb3/cloud-dedicated/admin/clusters/list/#detailed-output-in-json))*.
    -   `CLUSTER_ID`: The ID of the [cluster](/influxdb3/cloud-dedicated/get-started/setup/#request-an-influxdb-cloud-dedicated-cluster) that you want to manage *(see how to [list cluster details](/influxdb3/cloud-dedicated/admin/clusters/list/#detailed-output-in-json))*.
    
    Provide the following request headers:
    
    -   `Accept: application/json` to ensure the response body is JSON content
    -   `Content-Type: application/json` to indicate the request body is JSON content
    -   `Authorization: Bearer` and a [Management API token](/influxdb3/cloud-dedicated/admin/tokens/management/) for your cluster *(see how to [create a management token](/influxdb3/cloud-dedicated/admin/tokens/management/) for Management API requests)*.
    
    In the request body, provide the following parameters:
    
    -   `permissions`: an array of token [permissions](/influxdb3/cloud-dedicated/api/database-tokens/#operation/CreateDatabaseToken) (read or write) objects:
        
        -   `"action"`: Specify `read` or `write` permission to the database.
        -   `"resource"`: Specify the database name.
    -   `description`: Provide a description of the token.
        
    -   `expirationType`: Specify `datetime` or `noExpiration` token expiration type.
        
    -   `expiresAt`: Specify the token expiration date and time in [RFC3339 format](/influxdb3/cloud-dedicated/reference/glossary/#rfc3339-timestamp).
        
        `expiresAt` is only required when `expirationType` is `datetime`.
        

The following example shows how to use the Management API to create a database token:

```sh
curl \
   --location "https://console.influxdata.com/api/v0/accounts/ACCOUNT_ID/clusters/CLUSTER_ID/tokens" \
   --header "Accept: application/json" \
   --header 'Content-Type: application/json' \
   --header "Authorization: Bearer MANAGEMENT_TOKEN" \
   --data '{
     "description": "Read/write token for DATABASE_NAME",
     "permissions": [
       {
         "action": "write",
         "resource": "DATABASE_NAME"
       },
       {
         "action": "read",
         "resource": "DATABASE_NAME"
       }
     ],
      "expirationType": "datetime",
      "expiresAt": "2030-01-01T00:00:00Z"
   }'
```

Replace the following in your request:

-   `ACCOUNT_ID`: the ID of the InfluxDB Cloud Dedicated [account](/influxdb3/cloud-dedicated/get-started/setup/#request-an-influxdb-cloud-dedicated-cluster) to create the database token for
-   `CLUSTER_ID`: the ID of the InfluxDB Cloud Dedicated [cluster](/influxdb3/cloud-dedicated/get-started/setup/#request-an-influxdb-cloud-dedicated-cluster) to create the database token for
-   `MANAGEMENT TOKEN`: a [management token](/influxdb3/cloud-dedicated/admin/tokens/management/) for your InfluxDB Cloud Dedicated cluster
-   `DATABASE_NAME`: a InfluxDB Cloud Dedicated [database](/influxdb3/cloud-dedicated/admin/databases/) that the token will have read or write permission to

The response body contains the token ID and the token string. **This is the only time the token string is available in plain text.**

<!-- End tabbed content -->

## Notable behaviors

-   InfluxDB might take some time–from a few seconds to a few minutes–to activate and synchronize new tokens. If a new database token doesn’t immediately work (you receive a `401 Unauthorized` error) for querying or writing, wait and then try again.
-   Token strings are viewable *only* on token creation.

#### Store secure tokens in a secret store

Token strings are viewable *only* on token creation and aren’t stored by InfluxDB. We recommend storing database tokens in a **secure secret store**. For example, see how to [authenticate Telegraf using tokens in your OS secret store](https://github.com/influxdata/telegraf/tree/master/plugins/secretstores/os).

If you lose a token, [delete the token from InfluxDB](/influxdb3/cloud-dedicated/admin/tokens/database/delete/) and create a new one.

## Output format

The `influxctl token create` command supports the `--format json` option. By default, the command outputs the token string. For [token details](/influxdb3/cloud-dedicated/api/database-tokens/#operation/CreateDatabaseToken) and easier programmatic access to the command output, include `--format json` with your command to format the output as JSON.

The Management API outputs JSON format in the response body.

## Examples

-   [Create a token with read and write access to a database](#create-a-token-with-read-and-write-access-to-a-database)
-   [Create a token with read and write access to all databases](#create-a-token-with-read-and-write-access-to-all-databases)
-   [Create a token with read-only access to a database](#create-a-token-with-read-only-access-to-a-database)
-   [Create a token with read-only access to multiple databases](#create-a-token-with-read-only-access-to-multiple-databases)
-   [Create a token with mixed permissions to multiple databases](#create-a-token-with-mixed-permissions-to-multiple-databases)
-   [Create a token that expires in seven days](#create-a-token-that-expires-in-seven-days)

In the examples below, replace the following:

-   `DATABASE_NAME`: your InfluxDB Cloud Dedicated [database](/influxdb3/cloud-dedicated/admin/databases/)
-   `DATABASE2_NAME`: your InfluxDB Cloud Dedicated [database](/influxdb3/cloud-dedicated/admin/databases/)
-   `ACCOUNT_ID`: the ID of the InfluxDB Cloud Dedicated [account](/influxdb3/cloud-dedicated/get-started/setup/#request-an-influxdb-cloud-dedicated-cluster) to create the database token for
-   `CLUSTER_ID`: the ID of the InfluxDB Cloud Dedicated [cluster](/influxdb3/cloud-dedicated/get-started/setup/#request-an-influxdb-cloud-dedicated-cluster) to create the database token for
-   `MANAGEMENT TOKEN`: a [management token](/influxdb3/cloud-dedicated/admin/tokens/management/) for your InfluxDB Cloud Dedicated cluster

### Create a token with read and write access to a database

<!-- Tabbed content: Select one of the following options -->

**influxctl:**

```sh
influxctl token create \
  --read-database DATABASE_NAME \
  --write-database DATABASE_NAME \
  "Read/write token for DATABASE_NAME"
```

**Management API:**

```sh
curl \
   --location "https://console.influxdata.com/api/v0/accounts/ACCOUNT_ID/clusters/CLUSTER_ID/tokens" \
   --header "Accept: application/json" \
   --header 'Content-Type: application/json' \
   --header "Authorization: Bearer MANAGEMENT_TOKEN" \
   --data '{
     "description": "Read/write token for DATABASE_NAME",
     "permissions": [
       {
         "action": "write",
         "resource": "DATABASE_NAME"
       },
       {
         "action": "read",
         "resource": "DATABASE_NAME"
       }
     ],
     "expirationType": "noExpiration"
   }'
```

<!-- End tabbed content -->

### Create a token with read and write access to all databases

<!-- Tabbed content: Select one of the following options -->

**influxctl:**

```sh
influxctl token create \
  --read-database "*" \
  --write-database "*" \
  "Read/write token for all databases"
```

**Management API:**

```sh
curl \
   --location "https://console.influxdata.com/api/v0/accounts/ACCOUNT_ID/clusters/CLUSTER_ID/tokens" \
   --header "Accept: application/json" \
   --header 'Content-Type: application/json' \
   --header "Authorization: Bearer MANAGEMENT_TOKEN" \
   --data '{
     "description": "Read/write token for all databases",
     "permissions": [
       {
         "action": "write",
         "resource": "*"
       },
       {
         "action": "read",
         "resource": "*"
       }
     ]
   }'
```

<!-- End tabbed content -->

### Create a token with read-only access to a database

<!-- Tabbed content: Select one of the following options -->

**influxctl:**

```sh
influxctl token create \
  --read-database DATABASE_NAME \
  "Read-only token for DATABASE_NAME"
```

**Management API:**

```sh
curl \
   --location "https://console.influxdata.com/api/v0/accounts/ACCOUNT_ID/clusters/CLUSTER_ID/tokens" \
   --header "Accept: application/json" \
   --header 'Content-Type: application/json' \
   --header "Authorization: Bearer MANAGEMENT_TOKEN" \
   --data '{
     "description": "Read-only token for DATABASE_NAME",
     "permissions": [
       {
         "action": "read",
         "resource": "DATABASE_NAME"
       }
     ]
   }'
```

<!-- End tabbed content -->

### Create a token with read-only access to multiple databases

<!-- Tabbed content: Select one of the following options -->

**influxctl:**

```sh
influxctl token create \
  --read-database DATABASE_NAME \
  --read-database DATABASE2_NAME \
  "Read-only token for DATABASE_NAME and DATABASE2_NAME"
```

**Management API:**

```sh
curl \
   --location "https://console.influxdata.com/api/v0/accounts/ACCOUNT_ID/clusters/CLUSTER_ID/tokens" \
   --header "Accept: application/json" \
   --header 'Content-Type: application/json' \
   --header "Authorization: Bearer MANAGEMENT_TOKEN" \
   --data '{
     "description": "Read-only token for DATABASE_NAME and DATABASE2_NAME",
     "permissions": [
       {
         "action": "read",
         "resource": "DATABASE_NAME"
       },
       {
         "action": "read",
         "resource": "DATABASE2_NAME"
       }
     ]
   }'
```

<!-- End tabbed content -->

### Create a token with mixed permissions to multiple databases

<!-- Tabbed content: Select one of the following options -->

**influxctl:**

```sh
influxctl token create \
  --read-database DATABASE_NAME \
  --read-database DATABASE2_NAME \
  --write-database DATABASE2_NAME \
  "Read-only on DATABASE_NAME, read/write on DATABASE2_NAME"
```

**Management API:**

```sh
curl \
   --location "https://console.influxdata.com/api/v0/accounts/ACCOUNT_ID/clusters/CLUSTER_ID/tokens" \
   --header "Accept: application/json" \
   --header 'Content-Type: application/json' \
   --header "Authorization: Bearer MANAGEMENT_TOKEN" \
   --data '{
     "description": "Read-only on DATABASE_NAME, read/write on DATABASE2_NAME",
     "permissions": [
       {
         "action": "read",
         "resource": "DATABASE_NAME"
       },
       {
         "action": "read",
         "resource": "DATABASE2_NAME"
       },
       {
         "action": "write",
         "resource": "DATABASE2_NAME"
       }
     ]
   }'
```

<!-- End tabbed content -->

### Create a token that expires in seven days

<!-- Tabbed content: Select one of the following options -->

**Linux:**

<!-- Tabbed content: Select one of the following options -->

**influxctl:**

```bash
influxctl token create \
  --read-database DATABASE_NAME \
  --write-database DATABASE_NAME \
  --expires-at $(date -d "+7 days" +"%Y-%m-%dT%H:%M:%S%z") \
  "Read/write token for DATABASE_NAME with 7d expiration"
```

**Management API:**

```sh
curl \
   --location "https://console.influxdata.com/api/v0/accounts/ACCOUNT_ID/clusters/CLUSTER_ID/tokens" \
   --header "Accept: application/json" \
   --header 'Content-Type: application/json' \
   --header "Authorization: Bearer MANAGEMENT_TOKEN" \
   --data "{
     \"description\": \"Read/write token for DATABASE_NAME\",
     \"permissions\": [
       {
         \"action\": \"write\",
         \"resource\": \"DATABASE_NAME\"
       },
       {
         \"action\": \"read\",
         \"resource\": \"DATABASE_NAME\"
       }
     ],
     \"expirationType\": \"datetime\",
     \"expiresAt:\" \"$(date -d "+7 days" +"%Y-%m-%dT%H:%M:%S%z")\"
   }"
```

<!-- End tabbed content -->

**macOS:**

<!-- Tabbed content: Select one of the following options -->

**influxctl:**

```bash
influxctl token create \
  --read-database DATABASE_NAME \
  --write-database DATABASE_NAME \
  --expires-at $(gdate -d "+7 days" +"%Y-%m-%dT%H:%M:%S%z") \
  "Read/write token for DATABASE_NAME with 7d expiration"
```

**Management API:**

```sh
curl \
   --location "https://console.influxdata.com/api/v0/accounts/ACCOUNT_ID/clusters/CLUSTER_ID/tokens" \
   --header "Accept: application/json" \
   --header 'Content-Type: application/json' \
   --header "Authorization: Bearer MANAGEMENT_TOKEN" \
   --data "{
     \"description\": \"Read/write token for DATABASE_NAME\",
     \"permissions\": [
       {
         \"action\": \"write\",
         \"resource\": \"DATABASE_NAME\"
       },
       {
         \"action\": \"read\",
         \"resource\": \"DATABASE_NAME\"
       }
     ],
     \"expirationType\": \"datetime\",
     \"expiresAt:\" \"$(gdate -d "+7 days" +"%Y-%m-%dT%H:%M:%S%z")\"
   }"
```

<!-- End tabbed content -->

<!-- End tabbed content -->

#### Related

-   [influxctl token create](/influxdb3/cloud-dedicated/reference/cli/influxctl/token/create/)