Documentation

InfluxDB 3 Enterprise

List resource tokens

Use the influxdb3 CLI or the HTTP API to list resource tokens with fine-grained access permissions in your InfluxDB 3 Enterprise instance. Use the influxdb3 show tokens command to list all tokens or use SQL to query token metadata directly from the system.tokens table.

Resource tokens have fine-grained permissions for InfluxDB 3 resources, such as databases and system tables. The permissions are in the format RESOURCE_TYPE:RESOURCE_NAMES:ACTIONS.

  • RESOURCE_TYPE is the type of resource (for example, db, system)
  • RESOURCE_NAMES is the specific resource name (for example, a list of database names or * for all)
  • ACTIONS is the permission level (read, write, or * for all)

Database resource tokens have permissions in the format db:database_names:actions. System resource tokens have permissions in the format system:system_endpoint_names:read.

In the following examples, replace AUTH_TOKEN with your InfluxDB token that has read permission on the _internal system database.

List all tokens

The influxdb3 show tokens CLI command lists all admin and resource tokens in your InfluxDB 3 instance.

influxdb3 show tokens

Query token metadata

To filter tokens and retrieve specific details using SQL, query the system.tokens table in the _internal system database–for example:

CLI HTTP API

influxdb3 query \
  --db _internal \
  "SELECT name, permissions FROM system.tokens WHERE permissions  NOT LIKE '\*%'"
curl -G \
"http://localhost:8181/api/v3/query_sql" \
--data-urlencode "db=_internal" \
--data-urlencode "q=SELECT * FROM system.tokens WHERE permissions NOT LIKE '\*%'" \
--header 'Accept: application/json' \
--header "Authorization: Bearer 
AUTH_TOKEN
"

Format the output

Use the format option to specify the output format for the influxdb3 show tokens command or the HTTP API response.

InfluxDB 3 Enterprise supports the following output formats:

  • pretty (default for CLI)
  • json (default for HTTP API)
  • jsonl
  • csv
  • parquet (output to a file)

CLI HTTP API

influxdb3 show tokens \
  --format csv
curl -G \
  "http://localhost:8181/api/v3/query_sql" \
  --data-urlencode "db=_internal" \
  --data-urlencode "q=SELECT * FROM system.tokens" \
  --data-urlencode "format=csv" \
  --header 'Accept: text/csv' \
  --header "Authorization: Bearer 
AUTH_TOKEN
"

Output to a Parquet file

Parquet is a binary format.

To output to a Parquet file using the CLI, include the --output option with a destination path for the file.

To output a Parquet file using the HTTP API, your client must be able to handle binary data–for example, using cURL’s --output option.

CLI HTTP API

influxdb3 show tokens \
  --format parquet \
  --output 
/PATH/TO/FILE.parquet
curl -G \
  "http://localhost:8181/api/v3/query_sql" \
  --data-urlencode "db=_internal" \
  --data-urlencode "q=SELECT * FROM system.tokens" \
  --data-urlencode "format=parquet" \
  --header "Accept: application/parquet" \
  --header "Authorization: Bearer 
AUTH_TOKEN
" \
  --output 
/PATH/TO/FILE.parquet

Replace /PATH/TO/FILE.parquet with the path to the file where you want to save the Parquet data.

Filter the output for resource tokens

You can use tools such as grep or jq to filter the token list–for example:

Use grep to filter for resource (non-admin) tokens:

CLI HTTP API

influxdb3 show tokens --format pretty | grep -v '*:*:*'
curl -G \
  "http://localhost:8181/api/v3/query_sql" \
  --data-urlencode "db=_internal" \
  --data-urlencode "q=SELECT * FROM system.tokens" \
  --data-urlencode "format=jsonl" \
  --header 'Accept: application/json' \
  --header "Authorization: Bearer 
AUTH_TOKEN
" |
grep -v "*:*:*"

Use jq to filter for system tokens and display their permissions:

CLI HTTP API

influxdb3 show tokens --format json |
jq '.[] | select(.permissions | startswith("system:")) | {name: .name, permissions: .permissions}'
curl -G \
  "http://localhost:8181/api/v3/query_sql" \
  --data-urlencode "db=_internal" \
  --data-urlencode "q=SELECT * FROM system.tokens" \
  --data-urlencode "format=json" \
  --header "Accept: application/json" \
  --header "Authorization: Bearer 
AUTH_TOKEN
" |
jq '.[] | select(.permissions | startswith("system:")) | {name: .name, permissions: .permissions}'

Was this page helpful?

Thank you for your feedback!

© 2025 InfluxData, Inc.

What is your InfluxDB 3 Enterprise URL?

Customize your InfluxDB 3 Enterprise URL and we’ll update code examples for you.

Default
Custom

For more information, see InfluxDB Cloud regions or InfluxDB OSS URLs.

Thank you for your feedback!

Let us know what we can do better:

Thank you!

No thanks

New in InfluxDB 3.5

Key enhancements in InfluxDB 3.5 and the InfluxDB 3 Explorer 1.3.

See the Blog Post

InfluxDB 3.5 is now available for both Core and Enterprise, introducing custom plugin repository support, enhanced operational visibility with queryable CLI parameters and manual node management, stronger security controls, and general performance improvements.

InfluxDB 3 Explorer 1.3 brings powerful new capabilities including Dashboards (beta) for saving and organizing your favorite queries, and cache querying for instant access to Last Value and Distinct Value caches—making Explorer a more comprehensive workspace for time series monitoring and analysis.

For more information, check out:

InfluxDB Docker latest tag changing to InfluxDB 3 Core

On November 3, 2025, the latest tag for InfluxDB Docker images will point to InfluxDB 3 Core. To avoid unexpected upgrades, use specific version tags in your Docker deployments.

If using Docker to install and run InfluxDB, the latest tag will point to InfluxDB 3 Core. To avoid unexpected upgrades, use specific version tags in your Docker deployments. For example, if using Docker to run InfluxDB v2, replace the latest version tag with a specific version tag in your Docker pull command–for example:

docker pull influxdb:2