content/influxdb3/clustered/reference/cli/influxctl/token/create.md
The influxctl token create command creates a database token with specified
permissions to resources in an InfluxDB cluster and outputs
the token string.
The --read-database and --write-database flags support the * wildcard
which grants read or write permissions to all databases. Enclose wildcards in
single or double quotes--for example: '*' or "*".
The --expires-at flag specifies the date and time a token should expire.
Provide an RFC3339 timestamp.
[!Important] If you don't specify a token expiration, the token never expires.
The --format flag lets you print the output in other formats.
The json format is available for programmatic parsing by other tooling.
Default: table.
401 Unauthorized error) for querying or
writing, wait and then try again.[!Note]
Store secure tokens in a secret store
Token strings are viewable only on token creation and aren't stored by InfluxDB. We recommend storing database tokens in a secure secret store.
influxctl token create \
[--read-database=<DATABASE_NAME>] \
[--write-database=<DATABASE_NAME>] \
[--expires-at=<RFC3339_DATE>] \
<TOKEN_DESCRIPTION>
| Argument | Description |
|---|---|
| TOKEN_DESCRIPTION | Database token description |
| Flag | Description | |
|---|---|---|
--expires-at | Token expiration date and time in RFC3339 format | |
--format | Output format (table (default) or json) | |
--read-database | Grant read permissions to a database (Repeatable) | |
--write-database | Grant write permissions to a database (Repeatable) | |
-h | --help | Output command help |
{{% caption %}}
Also see influxctl global flags.
{{% /caption %}}
In the examples below, replace the following:
DATABASE_NAME{{% /code-placeholder-key %}}: your {{% product-name %}} database nameDATABASE2_NAME{{% /code-placeholder-key %}}: your second {{% product-name %}} database nameTOKEN_ID{{% /code-placeholder-key %}}: token ID to update{{% code-placeholders "DATABASE_NAME" %}}
<!-- pytest.mark.skip -->influxctl token create \
--read-database DATABASE_NAME \
--write-database DATABASE_NAME \
"Read/write token for DATABASE_NAME"
{{% /code-placeholders %}}
influxctl token create \
--read-database "*" \
--write-database "*" \
"Read/write token for all databases"
{{% code-placeholders "DATABASE_NAME" %}}
<!-- pytest.mark.skip -->influxctl token create \
--read-database DATABASE_NAME \
"Read-only token for DATABASE_NAME"
{{% /code-placeholders %}}
{{% code-placeholders "DATABASE_NAME|DATABASE2_NAME" %}}
<!-- pytest.mark.skip -->influxctl token create \
--read-database DATABASE_NAME \
--read-database DATABASE2_NAME \
"Read-only token for DATABASE_NAME and DATABASE2_NAME"
{{% /code-placeholders %}}
{{% code-placeholders "DATABASE_NAME|DATABASE2_NAME" %}}
<!-- pytest.mark.skip -->influxctl token create \
--read-database DATABASE_NAME \
--read-database DATABASE2_NAME \
--write-database DATABASE2_NAME \
"Read-only on DATABASE_NAME, read/write on DATABASE2_NAME"
{{% /code-placeholders %}}
{{% code-placeholders "DATABASE_NAME" %}}
{{< code-tabs-wrapper >}} {{% code-tabs %}} Linux macOS {{% /code-tabs %}} {{% code-tab-content %}}
<!-- pytest.mark.skip -->influxctl token create \
--read-database DATABASE_NAME \
--write-database DATABASE_NAME \
--expires-at $(date -d "+7 days" +"%Y-%m-%dT%H:%M:%S%z") \
"Read/write token for DATABASE_NAME with 7d expiration"
{{% /code-tab-content %}} {{% code-tab-content %}}
<!-- pytest.mark.skip -->influxctl token create \
--read-database DATABASE_NAME \
--write-database DATABASE_NAME \
--expires-at $(gdate -d "+7 days" +"%Y-%m-%dT%H:%M:%S%z") \
"Read/write token for DATABASE_NAME with 7d expiration"
{{% /code-tab-content %}} {{< /code-tabs-wrapper >}}
{{% /code-placeholders %}}