Manage tokens
Astra Streaming uses two types of tokens that you can generate in Astra.
Astra application tokens
Astra application tokens are access tokens for authentication to the Astra Portal and the Astra Streaming DevOps API. You use these tokens for tenant administration, such as creating tenants and Pulsar tokens (JWT)
To create an Astra application token, see Manage application tokens.
Astra Streaming Pulsar tokens (JWT)
Astra Streaming Pulsar tokens are Apache Pulsar™ JSON Web Token (JWT) for authentication to your Astra Streaming Pulsar cluster through the Pulsar CLI, runtime clients, or the Pulsar Admin API. If necessary, Astra forwards the JWT to the Pulsar cluster for role verification.
You need a Pulsar JWT for actions related to Pulsar tenants, namespaces, messages, topics, and functions, as well as Pulsar CLI/API commands.
You can generate, copy, or delete Astra Streaming Pulsar tokens for each of your Astra Streaming tenants:
-
In the Astra Portal header, click Applications, and then select Streaming.
-
Click the name of your tenant where you want to manage tokens.
-
Click the Settings tab.
-
In the Token Management section, click Create Token.
-
Select a token expiration from 7 days to never.
Practice responsible credential management:
-
Be aware of the security implications for tokens that never expire.
-
Consider how long you actually plan to use the token.
-
-
Copy the token and store it securely.
The token is shown only once.
-
To delete a token, click Delete.
Ensure you update your application with a new, valid Pulsar token before deletion. Applications using the deleted Pulsar token will no longer be able to connect to Astra Streaming.
Set environment variables
Consider setting environment variables for sensitive and frequently used values, such as your authentication credentials and tenant connection details:
export TENANT=ASTRA_STREAMING_TENANT_NAME
export WEB_SERVICE_URL=ASTRA_STREAMING_TENANT_WEB_SERVICE_URL
export PULSAR_TOKEN=ASTRA_STREAMING_TENANT_PULSAR_TOKEN
export ASTRA_TOKEN=ASTRA_APPLICATION_TOKENWhen to use the tokens
The required credentials and connection details depend on the tool you use to interact with Astra Streaming:
- Astra Streaming DevOps API
-
To send requests to the Astra Streaming DevOps API, use an Astra application token.
For the DevOps API, the base URL is always
https://api.astra.datastax.com.For example:
Billing report by tenantcurl -sS --fail -L -X GET "https://api.astra.datastax.com/v2/stats/namespaces/$TENANT" \ --header "Accept: application/json" \ --header "Authorization: Bearer $ASTRA_TOKEN" - Astra Streaming Pulsar Admin API
-
To send requests to the Astra Streaming Pulsar Admin API, use your tenant’s web service URL and a Pulsar token. For example:
Get built-in sinkscurl -sS --fail -L -X GET "$WEB_SERVICE_URL/admin/v3/sinks/builtinsinks" \ -H "Authorization: $ASTRA_PULSAR_TOKEN" - OSS Pulsar REST APIs
-
To send requests to the open source Apache Pulsar project’s REST APIs, use your tenant’s web service URL and a Pulsar token.
- Pulsar CLI
-
Use a Pulsar token to authenticate with the Pulsar CLI.
The following commands use a Pulsar token declared in the
pulsar-adminbinary configuration so the token doesn’t have to be passed directly on the command line:Monitor a topic’s healthbin/pulsar-admin topics statsMonitor a connector’s healthbin/pulsar-admin sinks status - Astra CLI
-
Use an Astra application token to authenticate with the Astra CLI.
