---
title: Create a resource token
description: Use the influxdb3 create token --permission command or the HTTP API to create fine-grained permissions tokens that grant access to resources such as databases and system information. Database tokens allow for reading and writing data in your InfluxDB 3 Enterprise instance. System tokens allow for reading system information and metrics for your server.
url: https://docs.influxdata.com/influxdb3/enterprise/admin/tokens/resource/create/
estimated_tokens: 10149
product: InfluxDB 3 Enterprise
version: enterprise
---

# Create a resource token

Use the [`influxdb3 create token --permission` command](/influxdb3/enterprise/reference/cli/influxdb3/create/token/permission/) or the [`/api/v3/enterprise/configure/token` HTTP API endpoint](/influxdb3/enterprise/api/auth-token/#operation/PostCreateResourceToken) to create fine-grained permissions tokens that grant access to resources such as databases and system information. Database tokens allow for reading and writing data in your InfluxDB 3 Enterprise instance. System tokens allow for reading system information and metrics for your server.

After you [create an *admin token*](/influxdb3/enterprise/admin/tokens/admin/create/), you can use the token string to authenticate `influxdb3` commands and HTTP API requests for managing database and system tokens.

*The HTTP API examples in this guide use [cURL](https://curl.se/) to send an API request, but you can use any HTTP client.*

#### Store secure tokens in a secret store

Token strings are returned *only* on token creation. We recommend storing database tokens in a **secure secret store**. If you lose a resource token string, revoke the token and create a new one.

## Create a database token

<!-- Tabbed content: Select one of the following options -->

**CLI:**

Use the [`influxdb3 create token --permission` command](/influxdb3/enterprise/reference/cli/influxdb3/create/token/permission/) to create a database token with fine-grained permissions for reading and writing data in your InfluxDB 3 Enterprise instance.

In your terminal, enter `influxdb3 create token` and provide the following:

-   `--permission`: Token permissions (read, write) in the `RESOURCE_TYPE:RESOURCE_NAMES:ACTIONS` format–for example:
    
    ```
    db:DATABASE1,DATABASE2:read,write
    ```
    
    -   `db:`: The `db` resource type, which specifies the token is for a database
    -   `DATABASE1,DATABASE2`: A comma-separated list of database names to grant permissions to. The resource names part supports the `*` wildcard, which grants read or write permissions to all databases.
    -   `read,write`: A comma-separated list of permissions to grant to the token.
-   `--name`: A unique name for the token
    
-   *Options*, for example:
    
    -   `--expiry`: The token expiration time as a duration. If an expiration isn’t set, the token does not expire until revoked.

```bash
influxdb3 create token \
  --permission "db:DATABASE1,DATABASE2:read,write" \
  --name "Read-write on DATABASE1, DATABASE2" \
  --expiry 1y
```

Replace the following:

-   `DATABASE1`, `DATABASE2`: your InfluxDB 3 Enterprise [database](/influxdb3/enterprise/admin/databases/)
-   `1y`: the token expiration time as a duration

The output is the token string in plain text.

**HTTP API:**

Send a request to the following InfluxDB 3 Enterprise endpoint:

POST http://localhost:8181/api/v3/enterprise/configure/token

Provide the following request headers:

-   `Accept: application/json` to ensure the response body is JSON content
-   `Content-Type: application/json` to indicate the request body is JSON content
-   `Authorization: Bearer` and the [admin token](/influxdb3/enterprise/admin/tokens/admin/) for your instance to authorize the request

In the request body, provide the following parameters:

-   `token_name`: a description of the token, unique within the instance
-   `resource_type`: the resource type for the token, which is always `db`
-   `resource_names`: an array of database names to grant permissions to
    -   The `resource_names` field supports the `*` wildcard, which grants read or write permissions to all databases.
-   `permissions`: an array of token permission actions (`"read"`, `"write"`) for the database
-   `expiry_secs`: Specify the token expiration time in seconds.

The following example shows how to use the HTTP API to create a database token:

```bash
  curl \
  "http://localhost:8181/api/v3/enterprise/configure/token" \
  --header 'Accept: application/json' \
  --header 'Content-Type: application/json' \
  --data '{
    "token_name": "Read-write for DATABASE1, DATABASE2",
    "permissions": [{
      "resource_type": "db",
      "resource_names": ["DATABASE1","DATABASE2"],
      "actions": ["read","write"]
     }],
     "expiry_secs": 300000
  }'
```

Replace the following in your request:

-   `DATABASE1`, `DATABASE2`: your InfluxDB 3 Enterprise [database](/influxdb3/enterprise/admin/databases/)
-   `300000`: the token expiration time in seconds

The response body contains token details, including the `token` field with the token string in plain text.

<!-- End tabbed content -->

### Examples

-   [Create a token with read and write access to a database](#create-a-token-with-read-and-write-access-to-a-database)
-   [Create a token with read and write access to all databases](#create-a-token-with-read-and-write-access-to-all-databases)
-   [Create a token with read-only access to a database](#create-a-token-with-read-only-access-to-a-database)
-   [Create a token with read-only access to multiple databases](#create-a-token-with-read-only-access-to-multiple-databases)
-   [Create a token that expires in seven days](#create-a-token-that-expires-in-seven-days)

In the examples below, replace the following:

-   `DATABASE_NAME`: your InfluxDB 3 Enterprise [database](/influxdb3/enterprise/admin/databases/)
-   `DATABASE2_NAME`: your InfluxDB 3 Enterprise [database](/influxdb3/enterprise/admin/databases/)
-   `AUTH_TOKEN`: the [token](/influxdb3/enterprise/admin/tokens/admin) for your InfluxDB 3 Enterprise instance

#### Create a token with read and write access to a database

<!-- Tabbed content: Select one of the following options -->

**CLI:**

```bash
influxdb3 create token \
  --permission "db:DATABASE_NAME:read,write" \
  --name "Read/write token for DATABASE_NAME"
```

**HTTP API:**

```bash
curl \
  "http://localhost:8181/api/v3/enterprise/configure/token" \
  --header 'Accept: application/json' \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer AUTH_TOKEN" \
  --data '{
    "token_name": "Read/write token for DATABASE_NAME",
    "permissions": [{
      "resource_type": "db",
      "resource_names": ["DATABASE_NAME"],
      "actions": ["read","write"]
    }]
  }'
```

<!-- End tabbed content -->

#### Create a token with read and write access to all databases

<!-- Tabbed content: Select one of the following options -->

**CLI:**

```bash
influxdb3 create token \
  --permission "db:*:read,write" \
  --name "Read/write token for all databases"
```

**HTTP API:**

```bash
curl \
  "http://localhost:8181/api/v3/enterprise/configure/token" \
  --header 'Accept: application/json' \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer AUTH_TOKEN" \
  --data '{
    "token_name": "Read/write token for all databases",
    "permissions": [{
      "resource_type": "db",
      "resource_names": ["*"],
      "actions": ["read","write"]
    }]
  }'
```

<!-- End tabbed content -->

#### Create a token with read-only access to a database

<!-- Tabbed content: Select one of the following options -->

**CLI:**

```bash
influxdb3 create token \
  --permission "db:DATABASE_NAME:read" \
  --name "Read-only token for DATABASE_NAME"
```

**HTTP API:**

```bash
curl \
  "http://localhost:8181/api/v3/enterprise/configure/token" \
  --header 'Accept: application/json' \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer AUTH_TOKEN" \
  --data '{
    "token_name": "Read-only token for DATABASE_NAME",
    "permissions": [{
      "resource_type": "db",
      "resource_names": ["DATABASE_NAME"],
      "actions": ["read"]
    }]
  }'
```

<!-- End tabbed content -->

#### Create a token with read-only access to multiple databases

<!-- Tabbed content: Select one of the following options -->

**CLI:**

```bash
influxdb3 create token \
  --permission "db:DATABASE_NAME,DATABASE2_NAME:read" \
  --name "Read-only token for DATABASE_NAME, DATABASE2_NAME"
```

**HTTP API:**

```bash
curl \
  "http://localhost:8181/api/v3/enterprise/configure/token" \
  --header 'Accept: application/json' \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer AUTH_TOKEN" \
  --data '{
    "token_name": "Read-only token for DATABASE_NAME, DATABASE2_NAME",
    "permissions": [{
      "resource_type": "db",
      "resource_names": ["DATABASE_NAME","DATABASE2_NAME"],
      "actions": ["read"]
    }]
  }'
```

<!-- End tabbed content -->

#### Create a token that expires in seven days

<!-- Tabbed content: Select one of the following options -->

**CLI:**

```bash
influxdb3 create token \
  --permission "db:DATABASE_NAME:read,write" \
  --name "Read/write token for DATABASE_NAME with 7d expiration" \
  --expiry 7d
```

**HTTP API:**

```bash
curl \
  "http://localhost:8181/api/v3/enterprise/configure/token" \
  --header 'Accept: application/json' \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer AUTH_TOKEN" \
  --data '{
    "token_name": "Read/write token for DATABASE_NAME with 7d expiration",
    "permissions": [{
      "resource_type": "db",
      "resource_names": ["DATABASE_NAME"],
      "actions": ["read","write"]
    }],
    "expiry_secs": 604800
  }'
```

<!-- End tabbed content -->

## Create a system token

System tokens have the `system` resource type and allow for read-only access to system information and metrics from your server.

You can create system tokens for the following system resources:

-   `health`: system health information from the `/health` HTTP API endpoint
-   `metrics`: system metrics information from the `/metrics` HTTP API endpoint
-   `ping`: system ping information from the `/ping` HTTP API endpoint

<!-- Tabbed content: Select one of the following options -->

**CLI:**

Use the [`influxdb3 create token` command](/influxdb3/enterprise/reference/cli/influxdb3/create/token/) to create a system token with permissions for reading system information from your InfluxDB 3 Enterprise instance.

In your terminal, run the `influxdb3 create token --permission` command and provide the following:

-   `--name`: A unique name for the token
    
-   *Options*, for example:
    
    -   `--expiry`: The token expiration time as a duration. If an expiration isn’t set, the token does not expire until revoked.
-   Token permissions in the `RESOURCE_TYPE:RESOURCE_NAMES:ACTIONS` format–for example:
    
    ```
    system:health:read
    ```
    
    -   `system:`: The `system` resource type, which specifies the token is for system information.
    -   `health`: The specific system resource to grant permissions to.
    -   `read`: The permission to grant to the token (system tokens are always read-only).

```bash
influxdb3 create token \
  --permission "system:health:read" \
  --name "System health token" \
  --expiry 1y
```

Replace the following:

-   `1y`: the token expiration time as a duration.

The output is the token string in plain text.

**HTTP API:**

Send a request to the following InfluxDB 3 Enterprise endpoint:

POST http://localhost:8181/api/v3/enterprise/configure/token

Provide the following request headers:

-   `Accept: application/json` to ensure the response body is JSON content
-   `Content-Type: application/json` to indicate the request body is JSON content
-   `Authorization: Bearer` and the [admin token](/influxdb3/enterprise/admin/tokens/admin/) for your instance to authorize the request

In the request body, provide the following parameters:

-   `token_name`: a description of the token, unique within the instance
-   `resource_type`: the resource type for the token, which is `system` for system tokens
-   `resource_names`: an array of system resource names to grant permissions to
    -   The `resource_names` field supports the `*` wildcard, which grants read or write permissions to all system information resources.
-   `permissions`: an array of token permission actions (only `"read"` for system tokens)
-   `expiry_secs`: Specify the token expiration time in seconds.

The following example shows how to use the HTTP API to create a system token:

```bash
curl \
"http://localhost:8181/api/v3/enterprise/configure/token" \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer AUTH_TOKEN" \
--data '{
  "token_name": "System health token",
  "permissions": [{
  "resource_type": "system",
  "resource_names": ["health"],
  "actions": ["read"]
   }],
   "expiry_secs": 300000
}'
```

Replace the following in your request:

-   `300000`: the token expiration time in seconds.

The response body contains token details, including the `token` field with the token string in plain text.

<!-- End tabbed content -->

## Output format

The `influxdb3 create token` command supports the `--format json` option. By default, the command outputs the token string. For easier programmatic access to the command output, include `--format json` with your command to format the output as JSON.

The `/api/v3/configure/token` endpoint outputs JSON format in the response body.