Auth Tokens¶
What is an Auth Token?¶
Auth Tokens protect access to your Tinybird resources.
Any operations to manage your Tinybird resources via the CLI or REST API require a valid Auth Token with the necessary permissions. Access to the APIs you publish in Tinybird are also protected with Auth Tokens.
Auth Tokens can have different scopes. This means you can limit which operations a specific Auth Token can do. You can create Auth Tokens that are, for example, only able to do admin operations on Tinybird resources, or only have READ permission for a specific Data Source.
An Auth Token looks like this:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
What should I use Auth Tokens for?¶
If you are performing operations on your account (like importing data, creating data sources, or publishing APIs via the CLI or REST API) you must use an Auth Token.
When you publish an API that exposes your data to an application, you need an Auth Token to successfully hit the API.
Auth Token scopes¶
When an Auth token is created, you have the choice to give it a set of zero or more scopes that define which tables can be accessed by that token, and which methods can be used to access them.
READ tokens can be augmented with a SQL filter. This allows you to further restrict what data an Auth Token grants access to. Using this, you can implement row-level security on READ tokens.
Available scopes syntax
| Value | Description |
|---|---|
DATASOURCES:CREATE | Enables your Auth token to create and append data to Data Sources. |
DATASOURCES:APPEND:datasource_name | Allows your Auth token to append data to the defined Data Sources. |
DATASOURCES:DROP:datasource_name | Allows your Auth token to delete the specified Data Sources |
DATASOURCES:READ:datasource_name | Gives your Auth token read permissions for the specified Data Sources. Also gives read for the quarantine Data Source. |
DATASOURCES:READ:datasource_name:sql_filter | Gives your Auth token read permissions for the specified table with the sql_filter applied |
PIPES:CREATE | Allows your Auth token to create new pipes and manipulate existing ones. |
PIPES:DROP:pipe_name | Allows your Auth token to delete the specified pipe |
PIPES:READ:pipe_name | Gives your Auth token read permissions for the specified pipe |
PIPES:READ:pipe_name:sql_filter | Gives your Auth token read permissions for the specified pipe with the sql_filter applied |
TOKENS | Gives your Auth token the capacity of managing Auth tokens |
ADMIN | All permissions will be granted you should not use this token except in really specific cases. Use it carefully! |
When adding the DATASOURCES:READ scope to a token it automatically gives read permissions to the "quarantine" datasource associated with it.
Your User Auth Token¶
Your User Auth Token is specific to your user account. It enables you to perform operations that are not limited to a single Workspace, such as creating new Workspaces.
You can only obtain your User Auth Token from the Tinybird UI.
Access the Auth Tokens page (see Mark 1 below) and select Your user token (see Mark 2 below).
Create Auth Tokens¶
Create an Auth Token in the UI¶
On the left side navigation, click the Auth Tokens page (see Mark 1 below). Then click the Plus (+) icon next to the Workspace Tokens heading (see Mark 2 below).
You can click on the token name to rename it (see Mark 1 below). Toggle Pipe scopes by checking the Enable boxes next to the scope (see Mark 2 below). To add finer-grained scopes, click the Add Data Source Scope or Add Pipe Scope links (see Mark 3 below).
When you're finished, click Save (see Mark 4 below).
Next steps¶
- Read about the Tinybird Tokens API.
- Understand Branches.