--- title: Manage API tokens description: Create and manage API tokens for authenticating API requests and Telegraf agent connections to Telegraf Controller. url: https://docs.influxdata.com/telegraf/controller/tokens/ estimated_tokens: 1761 product: Telegraf version: v1 --- # Manage API tokens #### Telegraf Controller is in Public Beta Telegraf Controller is in public beta and will be part of the future Telegraf Enterprise offering. While in beta, Telegraf Controller is **not meant for production use**. The Telegraf Controller documentation is a work in progress, and we are actively working to improve it. If you have any questions or suggestions, please [submit an issue](https://github.com/influxdata/docs-v2/issues/new?labels=Telegraf%20Controller). We welcome any and all contributions. Beta expectations - **No configuration or agent limits** While in beta, Telegraf Controller doesn't place any limits on the number of configurations you can store or the number of Telegraf agents you can track. However, upon being generally available, the free distribution of Telegraf Controller will have limits introduced, with the option to increase limits through a Telegraf Enterprise license. - **Potential breaking changes** While in beta, we will do our best to no longer make breaking changes to Telegraf Controller, however, they may be necessary. The majority of changes we make will be additive and non-breaking, and include any necessary migrations. When we do need to make breaking changes, we will do our best to communicate them clearly and in advance to minimize disruption. - **Flexible release schedule** While in beta, we will continue to create new releases of Telegraf Controller, but likely at irregular intervals. We will provide [Telegraf Controller release notes](/telegraf/controller/reference/release-notes/) to make it easy to track updates. Provide beta feedback - Use the **Feedback** feature in the Telegraf Controller UI. - [Join the InfluxDB Community Slack](https://influxdata.com/slack) and post feedback in the **#telegraf-enterprise-alpha** channel. - Post feedback in the [InfluxData Community](https://community.influxdata.com). Join our public channels - [InfluxDB Community Slack *(Preferred)*](https://influxdata.com/slack) - [InfluxData Community](https://community.influxdata.com) - [InfluxDB Subreddit](https://reddit.com/r/influxdb) API tokens authenticate requests to the Telegraf Controller API and Telegraf agent connections. Use tokens to authorize Telegraf agents, heartbeat requests, and external API clients. ## Token format All API tokens use the `tc-apiv1_` prefix, making them easy to identify in configuration files and scripts. The full token value is displayed only once at the time of creation and cannot be retrieved later. Copy and store the token in a secure location immediately after creating it. #### Raw token strings are not stored Tokens are stored as a cryptographic hash. The original value is never saved. If you lose a token, you must revoke it and create a new one. ## Token permissions Each token is scoped to a specific user. Token permissions are restricted to the permissions allowed by the user’s role. A token cannot exceed the permissions of the user it belongs to. When you create a token, you can set custom permissions to restrict the token’s access below your full role permissions. This lets you issue narrowly scoped tokens for specific tasks, such as a token that can only register agents or a token limited to read-only access. ## Token states Tokens exist in one of two states: - **Active** – The token can be used for authentication. - **Revoked** – The token is permanently disabled but the record is retained for auditing purposes. Revoking a token is irreversible. Any agent or client using a revoked token immediately loses access. ## Token visibility Your role determines which tokens you can view and manage: | Role | Token visibility | | --- | --- | | Owner | All tokens across all users | | Administrator | All tokens across all users | | Manager | Only their own tokens | | Viewer | Cannot manage tokens | **Owner** and **Administrator** users can revoke any token in the organization, including tokens belonging to other users. ## [Create an API token](/telegraf/controller/tokens/create/) Create a new API token for authenticating with the Telegraf Controller API. ## [Use API tokens](/telegraf/controller/tokens/use/) Use API tokens to authenticate Telegraf agents, heartbeat requests, and external API clients with Telegraf Controller. ## [Reassign a token](/telegraf/controller/tokens/reassign/) Reassign an API token from one user to another in Telegraf Controller. ## [Revoke a token](/telegraf/controller/tokens/revoke/) Revoke an API token to immediately prevent its use while keeping the token record for auditing. ## [Delete a token](/telegraf/controller/tokens/delete/) Permanently delete an API token from Telegraf Controller. #### Related - [Authorization](/telegraf/controller/reference/authorization/)