Manage Tokens

There are two different tokens within Astra - the Astra token and the Astra Streaming Pulsar token.

The Astra token is used for authentication within Astra Portal and the DevOps API.

The Pulsar token is a native Pulsar JSON Web Token (JWT) token that controls authentication to the Pulsar cluster.

What’s the difference?

The Astra token is an access token. It is used to authenticate your service account in the DevOps API and Astra Portal.

The Astra Streaming Pulsar token is a JWT token. Astra forwards the token on to the Pulsar cluster, which verifies if the role in allowed.

In general, actions related to your Astra Org (tenant management, members, org billing, usage metrics, etc.) use your Astra Token, and actions specific to a Pulsar tenant (message namespaces, topics, message metrics, etc.) use a Pulsar JWT token.

For more, see SSO Roles and Permissions.

Generate Astra token

The Astra token can be generated with the DevOps API or the UI.

DevOps API

  1. Create an application token to authenticate your service account in the DevOps API.

  2. Once you have authenticated your service account, you can create and revoke tokens with the DevOps API.

  3. Get all clients within the organization:

    • Curl

    • Result

    curl --request GET \
 --url 'https://api.astra.datastax.com/v2/clientIdSecrets' \
 --header 'Accept: application/json' \
 --header 'Authorization: Bearer <application_token>'
    {"clients":[
	{"clientId":"DkFtHKMhDQDuQtlExkSzwbya",
		"roles":["21ef3576-0197-415a-b167-d510af12ecf0"],
		"generatedOn":"2021-02-22T17:09:58.668Z"},
	{"clientId":"eYSboCJaESiblJZnKZWMxROv",
		"roles":["21ef3576-0197-415a-b167-d510af12ecf0"],
		"generatedOn":"2021-04-28T18:49:11.323Z"}
]}

  4. Create an application token for a specific client:

    • Curl

    • Result

    curl --request POST \
 --url 'https://api.astra.datastax.com/v2/clientIdSecrets' \
 --header 'Accept: application/json' \
 --header 'Authorization: Bearer <application_token>' \
 --data '{"roles": ["<roleId>"]}'
    {
  "clientId":"zjCEYwRGWocLfQJHBNQxvorr",
  "secret":"SLR.cllL1YzfJDnl+YhUv5DMKlx8HaeMFTKjIJ4I6YdKB7w-K7U_+j-a9daWbbcp0uugXW,hb.3J2S0PPqDNhT6+oUiPYYaI+,xuwm2O97.ZpHcYvCsnlrTyl8w1pH-0",
  "orgId":"dccb8c32-cc2a-4bea-bd95-47ab8eb20510",
  "roles":["21ef3576-0197-415a-b167-d510af12ecf0"],
  "token":"AstraCS:zjCEYwRGWocLfQJHBNQxvorr:8709074baaf63e746cc5de52891e3a5ca88c73ae1fb7336652e9b59b9e69eff2",
  "generatedOn":"2021-04-30T19:38:26.147847107Z"
}

    For the roleId, provide the relevant role’s id UUID value from a prior GET query, as shown in Getting existing roles in your organization. The API results will show the UUID for each role id.

  5. In the command-line interface associated with your environment, paste the following environment variable copied from token generation:

    export ASTRA_DB_APPLICATION_TOKEN=<<REPLACE_WITH_YOUR_TOKEN>>

Generate Astra token in Astra Portal

  1. From any page in Astra Portal, select the Organizations dropdown.

  2. In the main dropdown, select Organization Settings.

  3. From your Organization page, select Token Management.

  4. Select the role you want to attach to your token. The permissions for your selected role will be displayed.

  5. Select Generate Token. Astra Streaming will generate your token and display the Client ID, Client Secret, and Token.

  6. Download your Client ID, Client Secret, and Token.

    After you navigate away from the page, you won’t be able to download your Client ID, Client Secret, and Token again.

  7. In the command-line interface associated with your environment, paste the following environment variable copied from token generation:

    export ASTRA_DB_APPLICATION_TOKEN=<<REPLACE_WITH_YOUR_TOKEN>>

  8. You can now execute DevOps API commands from your terminal to your database.

Delete Astra token

If you need to limit access to your database, you can delete a token.

  1. Select the overflow menu for the token you want to delete.

  2. Select Delete to delete that token.

  3. If necessary, generate a new token for the same user role.

Generate Pulsar token

To generate, copy, or delete Astra Streaming Pulsar tokens within your streaming tenant, visit the Token Management section of your streaming tenant’s Settings page.

Select Create Token to generate a Pulsar token for this streaming tenant.

Token duration ranges from 7 days to never expiring.

If you choose a token with an expiration, ensure you replace your token with a new, valid Pulsar token before the expiration date.

Select the clipboard icon to copy a Pulsar token to your clipboard.

Set environment variables

Download your Pulsar connection info as detailed here.

In the command-line interface associated with your environment, paste the following environment variables copied for Astra Streaming:

export TENANT=<replace-me>
export INPUT_TOPIC=<replace-me>
export NAMESPACE=default
export BEARER_TOKEN=<Pulsar-token>

You can now execute Pulsar admin commands from your terminal to your database.

Delete Pulsar token

Select the trashcan icon to delete a Pulsar token.

Ensure you update your application with a new, valid Pulsar token before deletion. Applications using the deleted Pulsar token will no longer be able to connect to Astra Streaming.

For more on JSON Web Tokens, see the JWT documentation.

Which token should I use?

The line between AstraDB and Astra Streaming tokens can be a little unclear.

Think of pulsar-admin and the DevOps API as complementary tools with different scopes.

Use pulsar-admin for interacting with your Pulsar clusters. Topics, namespaces, tenants, and their metrics fall under this scope.

Use the DevOps API for org-wide Astra scope. Users, tenants, billing, and usage metrics fall under this scope.

Some cases can use pulsar-admin or the DevOps API - we want the tools to be complementary, not restrictive, so do what works best for you!

This section should help you choose which tool to use, and which token is required.

Use case Token

Track monthly usage

Astra token

Example

curl --request GET \
--url 'https://api.astra.datastax.com/v2/databases/<DATABASE_ID>' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer <BEARER_TOKEN>'

Monitor a topic’s health

Pulsar token

Example

bin/pulsar-admin topics stats

Monitor a connector’s health

Pulsar token

Example

bin/pulsar-admin sinks status

Billing report by tenant

Astra token

Example

curl --request GET \
--url https://api.astra.datastax.com/admin/v2/stats/namespaces/<tenant>
--header 'Accept: application/json' \
--header 'Authorization: Bearer <BEARER_TOKEN>'

What’s next?

Use your new token to start streaming with the Getting started with Astra Streaming.

Was this helpful?

Edit this page

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com