Use a preconfigured permission (resource) tokens
Start InfluxDB 3 Enterprise with a preconfigured “offline” permission (resource) tokens file. If no tokens already exist, InfluxDB automatically creates resource tokens specified in the provided permission (resource) tokens file.
- Generate an offline permissions (resource) tokens file
- Start InfluxDB with the preconfigured permission tokens
Generate an offline permissions (resource) tokens file
Use the influxdb3 create token
command to generate an offline permission (resource)
tokens file. You can also specify corresponding databases to create when starting InfluxDB.
Include the following options:
* Required
- *
--name
: The name of the admin token (replaceTOKEN_NAME
) - *
--permissions
: The token permissions (replaceTOKEN_PERMISSIONS
) --expiry
: Duration for the token to remain valid, in humantime format–for example10d
for 10 days or1y
for 1 year (replaceDURATION
)- *
--offline
--create-databases
: Comma separated list of database names to create when starting the server (replaceDATABASE_LIST
)- *
--output-file
: File path to use for the generated token file (replacepath/to/tokens.json
)
influxdb3 create token \
--name TOKEN_NAME \
--permission "TOKEN_PERMISSIONS" \
--expiry DURATION \
--offline \
--create-databases DATABASE_LIST \
--output-file path/to/tokens.json
Add multiple tokens to a permission tokens file
If you write a new offline permission token to an existing permission token file, the command appends the new token to the existing output file.
You can write or generate your own permission tokens file
The influxdb3 create token --offline
command makes generating an
offline permission tokens file easy, but it is not required.
You can write or generate your own permission tokens file using the
required JSON schema.
Token string security standards
If writing or generating your own permission tokens file, ensure that token strings are sufficiently secure. We recommend the following:
- Use a cryptographically secure pseudorandom number generator.
- Ensure sufficient length and entropy. Generate and base64-encode a random string of at least 16 bytes (128 bits).
- Prepend the generated string with
apiv3_
for InfluxDB compatibility.
Token file permissions
Token file permissions should be restricted 0600
to protect the tokens.
Offline permission tokens file schema
An offline permission tokens file is a JSON-formatted file that contains a single object with the following fields:
create_databases: (Optional) Array of database names to create when starting the server
tokens: Array of token objects
- token: The raw token string (must begin with
apiv3_
) - name: A unique token name
- expiry_millis: (Optional) Token expiration time as a millisecond Unix timestamp
- permissions: Array of token permission strings.
- token: The raw token string (must begin with
{
"create_databases": [
"db1",
"db2",
"db3",
"db4"
],
"tokens": [
{
"token": "apiv3_0XXXX-xxxXxXxxxXX_OxxxX...",
"name": "token-1",
"expiry_millis": 1756400061529,
"permissions": [
"db:db1,db2:read,write",
"db:db3:read"
]
},
{
"token": "apiv3_0XXXX-xxxXxXxxxXX_OxxxX...",
"name": "token-2",
"expiry_millis": 1756400061529,
"permissions": [
"db:db4:read,write"
]
}
]
}
Start InfluxDB with the preconfigured permission tokens
When starting InfluxDB 3 Enterprise, include the --permission-tokens-file
option with the influxdb3 serve
command or set the
INFLUXDB3_PERMISSION_TOKENS_FILE
environment
variable to provide the preconfigured offline permission tokens file:
influxdb3 serve \
# ... \
--permission-tokens-file path/to/admin-token.json
INFLUXDB3_PERMISSION_TOKENS_FILE=path/to/admin-token.json
influxdb3 serve \
# ... \
When the server starts, you can use the preconfigured permission (resource) tokens to write data to and query data from with your InfluxDB 3 Enterprise instance or cluster.
Was this page helpful?
Thank you for your feedback!
Support and feedback
Thank you for being part of our community! We welcome and encourage your feedback and bug reports for InfluxDB 3 Enterprise and this documentation. To find support, use the following resources:
Customers with an annual or support contract can contact InfluxData Support. Customers using a trial license can email trial@influxdata.com for assistance.