content/influxdb3/clustered/admin/tokens/database/create.md
Use the influxctl token create command
to create a token that grants access to databases in your {{% product-name omit=" Clustered" %}} cluster.
If you haven't already, download and install the influxctl CLI.
In your terminal, run the influxctl token create command and provide the following:
Token permissions (read and write)
--read-database: Grants read permissions to the specified database. Repeatable.--write-database: Grants write permissions to the specified database. Repeatable.Both of these flags support the * wildcard which grants read or write
permissions to all databases. Enclose wildcards in single or double
quotes--for example: '*' or "*".
Token expiration date and time in RFC3339 format. If you do not provide an expiration, the token does not expire.
Token description
{{% code-placeholders "DATABASE_NAME|TOKEN_DESCRIPTION|RFC3339_TIMESTAMP" %}}
influxctl token create \
--read-database DATABASE_NAME \
--write-database DATABASE_NAME \
--expires-at RFC3339_TIMESTAMP \
"Read/write token for DATABASE_NAME"
{{% /code-placeholders %}}
Replace the following:
DATABASE_NAME{{% /code-placeholder-key %}}:
your {{% product-name %}} databaseRFC3339_TIMESTAMP{{% /code-placeholder-key %}}:
the token expiration date and time in
RFC3339 format.The output is the token ID and the token string. This is the only time the token string is available in plain text.
401 Unauthorized error)
for querying or writing, wait and then try again.[!Note]
Store secure tokens in a secret store
Token strings are viewable only on token creation and aren't stored by InfluxDB. We recommend storing database tokens in a secure secret store. For example, see how to authenticate Telegraf using tokens in your OS secret store.
If you lose a token, delete the token from InfluxDB and create a new one.
The influxctl token create command supports the --format json option.
By default, the command outputs the token string.
For token details and easier programmatic access to the command output, include --format json
with your command to format the output as JSON.
In the examples below, replace the following:
DATABASE_NAME{{% /code-placeholder-key %}}: your {{< product-name >}} databaseDATABASE2_NAME{{% /code-placeholder-key %}}: your {{< product-name >}} database{{% code-placeholders "DATABASE_NAME" %}}
influxctl token create \
--read-database DATABASE_NAME \
--write-database DATABASE_NAME \
"Read/write token for DATABASE_NAME"
{{% /code-placeholders %}}
influxctl token create \
--read-database "*" \
--write-database "*" \
"Read/write token for all databases"
{{% code-placeholders "DATABASE_NAME" %}}
influxctl token create \
--read-database DATABASE_NAME \
"Read-only token for DATABASE_NAME"
{{% /code-placeholders %}}
{{% code-placeholders "DATABASE_NAME|DATABASE2_NAME" %}}
influxctl token create \
--read-database DATABASE_NAME \
--read-database DATABASE2_NAME \
"Read-only token for DATABASE_NAME and DATABASE2_NAME"
{{% /code-placeholders %}}
{{% code-placeholders "DATABASE_NAME|DATABASE2_NAME" %}}
influxctl token create \
--read-database DATABASE_NAME \
--read-database DATABASE2_NAME \
--write-database DATABASE2_NAME \
"Read-only on DATABASE_NAME, read/write on DATABASE2_NAME"
{{% /code-placeholders %}}
{{% code-placeholders "DATABASE_NAME" %}}
{{< code-tabs-wrapper >}} {{% code-tabs %}} Linux macOS {{% /code-tabs %}} {{% code-tab-content %}}
<!-- pytest.mark.skip -->influxctl token create \
--read-database DATABASE_NAME \
--write-database DATABASE_NAME \
--expires-at $(date -d "+7 days" +"%Y-%m-%dT%H:%M:%S%z") \
"Read/write token for DATABASE_NAME with 7d expiration"
{{% /code-tab-content %}} {{% code-tab-content %}}
<!-- pytest.mark.skip -->influxctl token create \
--read-database DATABASE_NAME \
--write-database DATABASE_NAME \
--expires-at $(gdate -d "+7 days" +"%Y-%m-%dT%H:%M:%S%z") \
"Read/write token for DATABASE_NAME with 7d expiration"
{{% /code-tab-content %}} {{< /code-tabs-wrapper >}}
{{% /code-placeholders %}}