Documentation

Use a preconfigured permission (resource) tokens

Start InfluxDB 3 Enterprise with a preconfigured “offline” permission (resource) tokens file. If no tokens already exist, InfluxDB automatically creates resource tokens specified in the provided permission (resource) tokens file.

Generate an offline permissions (resource) tokens file

Use the influxdb3 create token command to generate an offline permission (resource) tokens file. You can also specify corresponding databases to create when starting InfluxDB. Include the following options:

* Required

  • * --name: The name of the admin token (replace TOKEN_NAME)
  • * --permissions: The token permissions (replace TOKEN_PERMISSIONS)
  • --expiry: Duration for the token to remain valid, in humantime format–for example 10d for 10 days or 1y for 1 year (replace DURATION)
  • * --offline
  • --create-databases: Comma separated list of database names to create when starting the server (replace DATABASE_LIST)
  • * --output-file: File path to use for the generated token file (replace path/to/tokens.json)
influxdb3 create token \
  --name 
TOKEN_NAME
\
--permission "
TOKEN_PERMISSIONS
"
\
--expiry
DURATION
\
--offline \ --create-databases
DATABASE_LIST
\
--output-file
path/to/tokens.json

Add multiple tokens to a permission tokens file

If you write a new offline permission token to an existing permission token file, the command appends the new token to the existing output file.

You can write or generate your own permission tokens file

The influxdb3 create token --offline command makes generating an offline permission tokens file easy, but it is not required. You can write or generate your own permission tokens file using the required JSON schema.

Token string security standards

If writing or generating your own permission tokens file, ensure that token strings are sufficiently secure. We recommend the following:

  • Use a cryptographically secure pseudorandom number generator.
  • Ensure sufficient length and entropy. Generate and base64-encode a random string of at least 16 bytes (128 bits).
  • Prepend the generated string with apiv3_ for InfluxDB compatibility.

Token file permissions

Token file permissions should be restricted 0600 to protect the tokens.

Offline permission tokens file schema

An offline permission tokens file is a JSON-formatted file that contains a single object with the following fields:

  • create_databases: (Optional) Array of database names to create when starting the server

  • tokens: Array of token objects

    • token: The raw token string (must begin with apiv3_)
    • name: A unique token name
    • expiry_millis: (Optional) Token expiration time as a millisecond Unix timestamp
    • permissions: Array of token permission strings.
{
  "create_databases": [
    "db1",
    "db2",
    "db3",
    "db4"
  ],
  "tokens": [
    {
      "token": "apiv3_0XXXX-xxxXxXxxxXX_OxxxX...",
      "name": "token-1",
      "expiry_millis": 1756400061529,
      "permissions": [
        "db:db1,db2:read,write",
        "db:db3:read"
      ]
    },
    {
      "token": "apiv3_0XXXX-xxxXxXxxxXX_OxxxX...",
      "name": "token-2",
      "expiry_millis": 1756400061529,
      "permissions": [
        "db:db4:read,write"
      ]
    }
  ]
}

Start InfluxDB with the preconfigured permission tokens

When starting InfluxDB 3 Enterprise, include the --permission-tokens-file option with the influxdb3 serve command or set the INFLUXDB3_PERMISSION_TOKENS_FILE environment variable to provide the preconfigured offline permission tokens file:

influxdb3 serve \
  # ... \
  --permission-tokens-file 
path/to/admin-token.json
INFLUXDB3_PERMISSION_TOKENS_FILE=
path/to/admin-token.json
influxdb3 serve \ # ... \

When the server starts, you can use the preconfigured permission (resource) tokens to write data to and query data from with your InfluxDB 3 Enterprise instance or cluster.


Was this page helpful?

Thank you for your feedback!


The future of Flux

Flux is going into maintenance mode. You can continue using it as you currently are without any changes to your code.

Read more

New in InfluxDB 3.4

Key enhancements in InfluxDB 3.4 and the InfluxDB 3 Explorer 1.2.

See the Blog Post

InfluxDB 3.4 is now available for both Core and Enterprise, which introduces offline token generation for use in automated deployments and configurable license type selection that lets you bypass the interactive license prompt. InfluxDB 3 Explorer 1.2 is also available, which includes InfluxDB cache management and other new features.

For more information, check out: