Documentation

Configure authentication

To configure authentication, do one of the following:

Enable authentication

Authentication is disabled by default in InfluxDB and InfluxDB Enterprise. After installing the data nodes, enable authentication to control access to your cluster.

To enable authentication in a cluster, do the following:

  1. Create an admin user (if you haven’t already). Using the influx CLI, run the following command:

    CREATE USER <admin_user> WITH PASSWORD '<admin_password>' WITH ALL PRIVILEGES
    

    Replace the following:

    • <admin_user>: Admin username
    • <admin_password>: Admin password
  2. Set auth-enabled to true in the [http] section of the configuration files for all meta and data nodes:

    [http]
      # ...
      auth-enabled = true
    
  3. Restart all InfluxDB Enterprise meta and data nodes to apply the updated configuration. Once restarted, InfluxDB Enterprise checks user credentials on every request and only processes requests with valid credentials.

Configure authentication using JWT tokens

For a more secure alternative to using passwords, include JWT tokens in requests to the InfluxDB API.

  1. Add a shared secret in your InfluxDB Enterprise configuration file.

    InfluxDB Enterprise uses the shared secret to encode the JWT signature. By default, shared-secret is set to an empty string (no JWT authentication). Add a custom shared secret in your InfluxDB configuration file for each meta and data node. Longer strings are more secure:

    [http]
    shared-secret = "my super secret pass phrase"
    

    Alternatively, to avoid keeping your secret phrase as plain text in your InfluxDB configuration file, set the value with the INFLUXDB_HTTP_SHARED_SECRET environment variable (for example, in Linux: export INFLUXDB_HTTP_SHARED_SECRET=MYSUPERSECRETPASSPHRASE).

  2. Generate your JWT token.

    Use an authentication service (such as, https://jwt.io/) to generate a secure token using your InfluxDB username, an expiration time, and your shared secret.

    The payload (or claims) of the token must be in the following format:

    {
        "username": "myUserName",
        "exp": 1516239022
    }
    

    To encode the payload using your shared secret, use a JWT library in your own authentication server or encode by hand at https://jwt.io/.

  3. Include the token in HTTP requests.

    Include your generated token as part of the Authorization header in HTTP requests:

    Authorization: Bearer <myToken>
    

    Only unexpired tokens will successfully authenticate. Verify your token has not expired.

Example query request with JWT authentication

curl -G "http://localhost:8086/query?db=demodb" \
  --data-urlencode "q=SHOW DATABASES" \
  --header "Authorization: Bearer <header>.<payload>.<signature>"

Authentication and authorization HTTP errors

Requests with no authentication credentials or incorrect credentials yield the HTTP 401 Unauthorized response.

Requests by unauthorized users yield the HTTP 403 Forbidden response.

Next steps

After configuring authentication, you can manage users and permissions as necessary.

Important
Authentication must be enabled before authorization can be managed. If authentication is not enabled, permissions will not be enforced.


Was this page helpful?

Thank you for your feedback!


Introducing InfluxDB Clustered

A highly available InfluxDB 3.0 cluster on your own infrastructure.

InfluxDB Clustered is a highly available InfluxDB 3.0 cluster built for high write and query workloads on your own infrastructure.

InfluxDB Clustered is currently in limited availability and is only available to a limited group of InfluxData customers. If interested in being part of the limited access group, please contact the InfluxData Sales team.

Learn more
Contact InfluxData Sales

The future of Flux

Flux is going into maintenance mode. You can continue using it as you currently are without any changes to your code.

Flux is going into maintenance mode and will not be supported in InfluxDB 3.0. This was a decision based on the broad demand for SQL and the continued growth and adoption of InfluxQL. We are continuing to support Flux for users in 1.x and 2.x so you can continue using it with no changes to your code. If you are interested in transitioning to InfluxDB 3.0 and want to future-proof your code, we suggest using InfluxQL.

For information about the future of Flux, see the following: