Manage application tokens
Application tokens allow your application to authenticate and connect to your database using the Astra API. Every token is assigned a role. The role determines the level of access an application has to Astra resources.
To manage application tokens, you must have the Organization Administrator or Database Administrator role.
Generate an application token for a database
You can generate an application token with the Database Administrator role for a specific database.
Use this approach to create narrowly-scoped tokens that you can only use for one database. To create broadly-scoped tokens, see Generate an application token with any role.
-
Serverless (Vector) database
-
Serverless (Non-Vector) database
-
In the Astra Portal navigation menu, select your Serverless (Vector) database.
-
On the Overview tab, in the Database Details section, click Generate Token.
In Database Details, you can find your database’s API endpoint to use with the Data API. The database API endpoint format is
https://ASTRA_DB_ID-ASTRA_DB_REGION.apps.astra.datastax.com. -
Copy the token and store it securely. The Astra Portal shows the token only once.
-
In the Astra Portal navigation menu, select your Serverless (Non-Vector) database.
-
On the Connect tab, in the Database Essentials section, click Generate Database Token.
-
Copy or download the token details and store them securely. The Astra Portal shows the token details only once.
Generate an application token with any role
You can generate application tokens with any role. Tokens with broad roles, such as the Organization Administrator role, can be valid for multiple databases or administrative operations.
-
Astra Portal
-
DevOps API
-
In the Astra Portal, go to Settings, and then click Tokens.
-
In the Generate New Token section, select a default or custom role to assign to the token.
Select a role to see its permissions.
-
Click Generate Token.
-
Copy or download the Application Token Details and store them securely. The Astra Portal shows the token details only once.
You can use the DevOps API to generate tokens:
Get a list of tokens
-
Astra Portal
-
DevOps API
In the Astra Portal, go to Settings, and then click Tokens.
The Manage Existing Tokens section lists the application tokens in your organization.
To view tokens for a different organization, switch organizations.
You can use the DevOps API to get a list of tokens.
Delete an application token
|
Application tokens never expire, and you can’t edit roles assigned to tokens. |
If you need to rotate a token or modify its role, you must delete it and create a new token. DataStax also recommends deleting unused tokens.
-
Astra Portal
-
DevOps API
-
In the Astra Portal, go to Settings, and then click Tokens.
-
In the Manage Existing Tokens section, find the application token you want to delete, click More, and then select Delete.
-
In the confirmation dialog, click Delete Token.
You can use the DevOps API to revoke tokens.
Token details
Token details include the clientId, secret, and token.
The clientId and secret are legacy authentication methods.
The token, in the format AstraCS:…, comprises everything you need for Astra DB token authentication.
In some cases, such as with DataStax drivers or certain integrations, you might need to provide authentication in the form of a username and password.
Unless otherwise noted, you can set the username to the literal string token, and the password or secret to your application token.
-
Username and token
-
clientId and secret (legacy)
auth_provider = PlainTextAuthProvider("token", "AstraCS:...")auth_provider = PlainTextAuthProvider('clientId', 'clientSecret')