Auth Tokens

What is an Auth Token?

Auth Tokens protect access to your Tinybird resources.

Any operations to manage your Tinybird resources via the CLI or REST API will require a valid Auth Token with the necessary permissions. Access to the APIs you publish in Tinybird are also protected with Auth Tokens.

Auth Tokens can have different scopes. This means that you can limit what operations a specific Auth Token can do. You can create Auth Tokens that are, for example, only able to do admin operations on Tinybird resources, or only have READ permission for a specific Data Source.

An Auth Token looks like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

What should I use Auth Tokens for?

If you are performing operations on your account -such as importing data, creating data sources, or publishing APIs via the CLI or REST API- you must use an Auth Token.

When you publish an API that exposes your data to an application, you will need an Auth Token to successfully hit the API.

Auth Token scopes

When an Auth token is created, you have the choice to give it a set of zero or more scopes that define which tables can be accessed by that token and which methods can be used to access them.

READ tokens can be augmented with a SQL filter. This allows you to further restrict what data an Auth Token grants access to. Using this, you can implement row-level security on READ tokens.

Auth tokens overview

Auth tokens scopes can be applied to full Data Sources, or filtered rows.

Available scopes syntax

Value

Description

DATASOURCES:CREATE

Enables your Auth token to create and append data to Data Sources.

DATASOURCES:APPEND:datasource_name

Allows your Auth token to append data to the defined Data Sources.

DATASOURCES:DROP:datasource_name

Allows your Auth token to delete the specified Data Sources

DATASOURCES:READ:datasource_name

Gives your Auth token read permissions for the specified Data Sources

DATASOURCES:READ:datasource_name:sql_filter

Gives your Auth token read permissions for the specified table with the sql_filter applied

PIPES:CREATE

Allows your Auth token to create new pipes and manipulate existing ones.

PIPES:DROP:pipe_name

Allows your Auth token to delete the specified pipe

PIPES:READ:pipe_name

Gives your Auth token read permissions for the specified pipe

PIPES:READ:pipe_name:sql_filter

Gives your Auth token read permissions for the specified pipe with the sql_filter applied

TOKENS

Gives your Auth token the capacity of managing Auth tokens

ADMIN

All permissions will be granted, you should not use this token except in really specific cases. Use it carefully!

When adding the DATASOURCES:READ scope to a token it automatically gives read permissions to the “quarantine” datasource associated with it.

Getting your User Auth Token

Your User Auth Token is specific to your user. It enables you to perform operation that are not specific to a single Workspace, such as creating new Workspaces.

At this time, you can only obtain your User Auth Token from the Tinybird UI.

Access the Auth Tokens page (see Mark 1 below) and select Your user token (see Mark 2 below).

To copy the token, use the copy button (see Mark 3 below).

../_images/concepts-auth-tokens-getting-user-auth-token-1.png

Creating Auth Tokens

Creating Auth Tokens in the UI

This section describes how to create an Auth Token in the UI.

On the left side navigation, click the Auth Tokens page (see Mark 1 below). Then click the Plus (+) icon next to the Workspace Tokens heading (see Mark 2 below).

../_images/concepts-auth-tokens-create-token-1.png

You can click on the token name to rename it (see Mark 1 below). Toggle Pipe scopes by checking the Enable boxes next to the scope (see Mark 2 below). To add finer grained scopes, click the Add Data Source Scope or Add Pipe Scope links (see Mark 3 below).

When you’re finished, click Save (see Mark 4 below).

../_images/concepts-auth-tokens-create-token-2.png