Create a database token

Use the influxctl token create command to create a token that grants access to databases in your InfluxDB cluster.

1. If you haven’t already, download and install the influxctl CLI.

2. In your terminal, run the influxctl token create command and provide the following:

   • Token permissions (read and write)

     • --read-database: Grants read permissions to the specified database. Repeatable.
     • --write-database: Grants write permissions to the specified database. Repeatable.

     Both of these flags support the * wildcard which grants read or write permissions to all databases. Enclose wildcards in single or double quotes–for example: '*' or "*".

   • Token expiration date and time in RFC3339 format. If you do not provide an expiration, the token does not expire.

   • Token description

influxctl token create \
  --read-database 
DATABASE_NAME
 \
  --write-database 
DATABASE_NAME
 \
  --expires-at 
RFC3339_TIMESTAMP
 \
  "Read/write token for 
DATABASE_NAME
"

Replace the following:

• DATABASE_NAME: your InfluxDB Clustered database
• RFC3339_TIMESTAMP: the token expiration date and time in RFC3339 format.

The output is the token ID and the token string. This is the only time the token string is available in plain text.

Notable behaviors

• InfluxDB might take some time–from a few seconds to a few minutes–to activate and synchronize new tokens. If a new database token doesn’t immediately work (you receive a 401 Unauthorized error) for querying or writing, wait and then try again.
• Token strings are viewable only on token creation.

Output format

The influxctl token create command supports the --format json option. By default, the command outputs the token string. For token details and easier programmatic access to the command output, include --format json with your command to format the output as JSON.

Examples

• Create a token with read and write access to a database
• Create a token with read and write access to all databases
• Create a token with read-only access to a database
• Create a token with read-only access to multiple databases
• Create a token with mixed permissions to multiple databases
• Create a token that expires in seven days

In the examples below, replace the following:

• DATABASE_NAME: your InfluxDB Clustered database
• DATABASE2_NAME: your InfluxDB Clustered database

Create a token with read and write access to a database

influxctl token create \
  --read-database 
DATABASE_NAME
 \
  --write-database 
DATABASE_NAME
 \
  "Read/write token for 
DATABASE_NAME
"

Create a token with read and write access to all databases

influxctl token create \
  --read-database "*" \
  --write-database "*" \
  "Read/write token for all databases"

Create a token with read-only access to a database

influxctl token create \
  --read-database 
DATABASE_NAME
 \
  "Read-only token for 
DATABASE_NAME
"

Create a token with read-only access to multiple databases

influxctl token create \
  --read-database 
DATABASE_NAME
 \
  --read-database 
DATABASE2_NAME
 \
  "Read-only token for 
DATABASE_NAME
 and 
DATABASE2_NAME
"

Create a token with mixed permissions to multiple databases

influxctl token create \
  --read-database 
DATABASE_NAME
 \
  --read-database 
DATABASE2_NAME
 \
  --write-database 
DATABASE2_NAME
 \
  "Read-only on 
DATABASE_NAME
, read/write on 
DATABASE2_NAME
"

Create a token that expires in seven days

influxctl token create \
  --read-database 
DATABASE_NAME
 \
  --write-database 
DATABASE_NAME
 \
  --expires-at $(date -d "+7 days" +"%Y-%m-%dT%H:%M:%S%z") \
  "Read/write token for 
DATABASE_NAME
 with 7d expiration"

influxctl token create \
  --read-database 
DATABASE_NAME
 \
  --write-database 
DATABASE_NAME
 \
  --expires-at $(gdate -d "+7 days" +"%Y-%m-%dT%H:%M:%S%z") \
  "Read/write token for 
DATABASE_NAME
 with 7d expiration"