Authenticate requests to InfluxDB Enterprise
To require valid credentials for cluster access, see “Enable authentication”.
Authenticate requests
Authenticate with the InfluxDB API
Authenticate with the InfluxDB API using one of the following options:
- Authenticate with basic authentication
- Authenticate with query parameters in the URL or request body
If you authenticate with both basic authentication and the URL query parameters, the user credentials specified in the query parameters take precedence. The following examples demonstrate queries with admin user permissions. To learn about different users types, permissions, and how to manage users, see authorization.
InfluxDB Enterprise redacts passwords in log output when you enable authentication.
Authenticate with basic authentication
curl -G http://localhost:8086/query \
-u todd:password4todd \
--data-urlencode "q=SHOW DATABASES"
Authenticate with query parameters in the URL or request body
Set u
as the username and p
as the password.
Credentials as query parameters
curl -G "http://localhost:8086/query?u=todd&p=password4todd" \
--data-urlencode "q=SHOW DATABASES"
Credentials in the request body
curl -G http://localhost:8086/query \
--data-urlencode "u=todd" \
--data-urlencode "p=password4todd" \
--data-urlencode "q=SHOW DATABASES"
Authenticate with the CLI
There are three options for authenticating with the CLI:
- Authenticate with environment variables
- Authenticate with CLI flags
- Authenticate with credentials in the influx shell
Authenticate with environment variables
Use the INFLUX_USERNAME
and INFLUX_PASSWORD
environment variables to provide
authentication credentials to the influx
CLI.
export INFLUX_USERNAME=todd
export INFLUX_PASSWORD=password4todd
echo $INFLUX_USERNAME $INFLUX_PASSWORD
todd password4todd
influx
Connected to http://localhost:8086 version 1.11.8
InfluxDB shell 1.11.8
Authenticate with CLI flags
Use the -username
and -password
flags to provide authentication credentials
to the influx
CLI.
influx -username todd -password password4todd
Connected to http://localhost:8086 version 1.11.8
InfluxDB shell 1.11.8
Authenticate with credentials in the influx shell
Start the influx
shell and run the auth
command.
Enter your username and password when prompted.
$ influx
Connected to http://localhost:8086 version 1.11.8
InfluxDB shell 1.11.8
> auth
username: todd
password:
>
Authenticate using JWT tokens
For a more secure alternative to using passwords, include JWT tokens with requests to the InfluxDB API. This is currently only possible through the InfluxDB HTTP API.
-
Add a shared secret in your InfluxDB Enterprise configuration file.
InfluxDB Enterprise uses the shared secret to encode the JWT signature. By default,
shared-secret
is set to an empty string, in which case no JWT authentication takes place.Add a custom shared secret in your InfluxDB configuration file. The longer the secret string, the more secure it is:
[http] shared-secret = "my super secret pass phrase"
Alternatively, to avoid keeping your secret phrase as plain text in your InfluxDB configuration file, set the value with the
INFLUXDB_HTTP_SHARED_SECRET
environment variable. -
Generate your JWT token.
Use an authentication service to generate a secure token using your InfluxDB username, an expiration time, and your shared secret. There are online tools, such as https://jwt.io/, that will do this for you.
The payload (or claims) of the token must be in the following format:
{ "username": "myUserName", "exp": 1516239022 }
- username - The name of your InfluxDB user.
- exp - The expiration time of the token in UNIX epoch time. For increased security, keep token expiration periods short. For testing, you can manually generate UNIX timestamps using https://www.unixtimestamp.com/index.php.
Encode the payload using your shared secret. You can do this with either a JWT library in your own authentication server or by hand at https://jwt.io/.
The generated token follows this format:
<header>.<payload>.<signature>
-
Include the token in HTTP requests.
Include your generated token as part of the
Authorization
header in HTTP requests:Authorization: Bearer <myToken>
Only unexpired tokens will successfully authenticate. Be sure your token has not expired.
Example query request with JWT authentication
curl -G "http://localhost:8086/query?db=demodb" \
--data-urlencode "q=SHOW DATABASES" \
--header "Authorization: Bearer <header>.<payload>.<signature>"
Authenticate Telegraf requests to InfluxDB
Authenticating Telegraf requests to an InfluxDB instance with
authentication enabled requires some additional steps.
In the Telegraf configuration file (/etc/telegraf/telegraf.conf
), uncomment
and edit the username
and password
settings.
###############################################################################
# OUTPUT PLUGINS #
###############################################################################
# ...
[[outputs.influxdb]]
# ...
username = "example-username" # Provide your username
password = "example-password" # Provide your password
# ...
Restart Telegraf and you’re all set!
Was this page helpful?
Thank you for your feedback!
Support and feedback
Thank you for being part of our community! We welcome and encourage your feedback and bug reports for InfluxDB and this documentation. To find support, use the following resources:
Customers with an annual or support contract can contact InfluxData Support.