How do I create a generic user to create and manage tokens?

Hi folks,

I’ve recently migrated my v1.8 InfluxDB OSS environment to v2.0. I am now trying to follow the create a token docs to create a generic user to manage tokens.

The docs don’t say how to create the user so I have simply created a new user in the CLI using the following command:

influx user create -n 'my-token-manager-username' -p 'some-password' -o 'my-org-name'

The user created successfully and I can use it to log in to the InfluxDB GUI. However when I try and create a token in the GUI I get the following error:

Failed to create tokens: write:orgs/id-redacted/authorizations is unauthorized

My guess is that this new user doesn’t have the necessary privileges to issue tokens, but I can’t find anything in the v2.0 docs which tells me how to go about granting those permissions.

Grateful if anyone can shine a little wisdom on what I’m doing wrong here.



You should be able to create a new token without creating a new user, and just give the token a limit scope.

Hi @mhall119 , thanks for replying.

Are you suggesting that I use my administrative user to create the new token? Would the token then belong to the administrative user? Can you elaborate on what the token limit scope would achieve?

Many thanks,


You can give a token a limited scope regardless of what user account created it. For example, if you just want it to be able to write data to a specific bucket, and nothing else (ideal for your data-collection agent), you can create a token that only has write access, and only to that one bucket. That way if somebody gains access to your token, the worst thing they can do is write bad data to that one bucket.

Understood, thanks for the explanation.

I’m keen to follow the approach recommended by the docs and like the separation of concerns that would result from this approach. How would I go about granting a non-admin user the requisite permissions to issue tokens?