Auth Tokens¶
What is an Auth Token?¶
Auth Tokens protect access to your Tinybird resources.
Any operations to manage your Tinybird resources via the CLI or REST API will require a valid Auth Token with the necessary permissions. Access to the APIs you publish in Tinybird are also protected with Auth Tokens.
Auth Tokens can have different scopes. This means that you can limit what operations a specific Auth Token can do. You can create Auth Tokens that are, for example, only able to do admin operations on Tinybird resources, or only have READ
permission for a specific Data Source.
An Auth Token looks like this:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
What should I use Auth Tokens for?¶
If you are performing operations on your account -such as importing data, creating data sources, or publishing APIs via the CLI or REST API- you must use an Auth Token.
When you publish an API that exposes your data to an application, you will need an Auth Token to successfully hit the API.
Auth Token scopes¶
When an Auth token is created, you have the choice to give it a set of zero or more scopes that define which tables can be accessed by that token and which methods can be used to access them.
READ
tokens can be augmented with a SQL filter. This allows you to further restrict what data an Auth Token grants access to. Using this, you can implement row-level security on READ
tokens.

Auth tokens scopes can be applied to full Data Sources, or filtered rows.¶
Value |
Description |
---|---|
|
Enables your Auth token to create and append data to Data Sources. |
|
Allows your Auth token to append data to the defined Data Sources. |
|
Allows your Auth token to delete the specified Data Sources |
|
Gives your Auth token read permissions for the specified Data Sources. Also gives read for the quarantine Data Source. |
|
Gives your Auth token read permissions for the specified table with the |
|
Allows your Auth token to create new pipes and manipulate existing ones. |
|
Allows your Auth token to delete the specified pipe |
|
Gives your Auth token read permissions for the specified pipe |
|
Gives your Auth token read permissions for the specified pipe with the |
|
Gives your Auth token the capacity of managing Auth tokens |
|
All permissions will be granted, you should not use this token except in really specific cases. Use it carefully! |
When adding the DATASOURCES:READ
scope to a token it automatically gives read permissions to the “quarantine” datasource associated with it.
Getting your User Auth Token¶
Your User Auth Token is specific to your user. It enables you to perform operation that are not specific to a single Workspace, such as creating new Workspaces.
At this time, you can only obtain your User Auth Token from the Tinybird UI.
Access the Auth Tokens page (see Mark 1 below) and select Your user token (see Mark 2 below).
To copy the token, use the copy button (see Mark 3 below).

Creating Auth Tokens¶
Creating Auth Tokens in the UI¶
This section describes how to create an Auth Token in the UI.
On the left side navigation, click the Auth Tokens page (see Mark 1 below). Then click the Plus (+) icon next to the Workspace Tokens heading (see Mark 2 below).

You can click on the token name to rename it (see Mark 1 below). Toggle Pipe scopes by checking the Enable boxes next to the scope (see Mark 2 below). To add finer grained scopes, click the Add Data Source Scope or Add Pipe Scope links (see Mark 3 below).
When you’re finished, click Save (see Mark 4 below).
