Auth Tokens

What is an Auth Token?

Auth Tokens protect access to your Tinybird resources.

Any operations to manage your Tinybird resources via the CLI or REST API require a valid Auth Token with the necessary permissions. Access to the APIs you publish in Tinybird are also protected with Auth Tokens.

Auth Tokens can have different scopes. This means you can limit which operations a specific Auth Token can do. You can create Auth Tokens that are, for example, only able to do admin operations on Tinybird resources, or only have READ permission for a specific Data Source.

An Auth Token looks like this:


What should I use Auth Tokens for?

If you are performing operations on your account (like importing data, creating data sources, or publishing APIs via the CLI or REST API) you must use an Auth Token.

When you publish an API that exposes your data to an application, you need an Auth Token to successfully hit the API.

Auth Token scopes

When an Auth token is created, you have the choice to give it a set of zero or more scopes that define which tables can be accessed by that token, and which methods can be used to access them.

READ tokens can be augmented with a SQL filter. This allows you to further restrict what data an Auth Token grants access to. Using this, you can implement row-level security on READ tokens.

Auth tokens scopes can be applied to full Data Sources, or filtered rows.

Available scopes syntax

DATASOURCES:CREATEEnables your Auth token to create and append data to Data Sources.
DATASOURCES:APPEND:datasource_nameAllows your Auth token to append data to the defined Data Sources.
DATASOURCES:DROP:datasource_nameAllows your Auth token to delete the specified Data Sources
DATASOURCES:READ:datasource_nameGives your Auth token read permissions for the specified Data Sources. Also gives read for the quarantine Data Source.
DATASOURCES:READ:datasource_name:sql_filterGives your Auth token read permissions for the specified table with the sql_filter applied
PIPES:CREATEAllows your Auth token to create new pipes and manipulate existing ones.
PIPES:DROP:pipe_nameAllows your Auth token to delete the specified pipe
PIPES:READ:pipe_nameGives your Auth token read permissions for the specified pipe
PIPES:READ:pipe_name:sql_filterGives your Auth token read permissions for the specified pipe with the sql_filter applied
TOKENSGives your Auth token the capacity of managing Auth tokens
ADMINAll permissions will be granted you should not use this token except in really specific cases. Use it carefully!

When adding the DATASOURCES:READ scope to a token it automatically gives read permissions to the "quarantine" datasource associated with it.

Your User Auth Token

Your User Auth Token is specific to your user account. It enables you to perform operations that are not limited to a single Workspace, such as creating new Workspaces.

You can only obtain your User Auth Token from the Tinybird UI.

Access the Auth Tokens page (see Mark 1 below) and select Your user token (see Mark 2 below).


Create Auth Tokens

Create an Auth Token in the UI

On the left side navigation, click the Auth Tokens page (see Mark 1 below). Then click the Plus (+) icon next to the Workspace Tokens heading (see Mark 2 below).


You can click on the token name to rename it (see Mark 1 below). Toggle Pipe scopes by checking the Enable boxes next to the scope (see Mark 2 below). To add finer-grained scopes, click the Add Data Source Scope or Add Pipe Scope links (see Mark 3 below).

When you're finished, click Save (see Mark 4 below).


Next steps