{"id": "authentication:authentication-cli-create-token-restrict", "page": "authentication", "ref": "authentication-cli-create-token-restrict", "title": "Restricting the actions that a token can perform", "content": "Tokens created using  datasette create-token ACTOR_ID  will inherit all of the permissions of the actor that they are associated with. \n                     You can pass additional options to create tokens that are restricted to a subset of that actor's permissions. \n                     To restrict the token to just specific permissions against all available databases, use the  --all  option: \n                     datasette create-token root --all insert-row --all update-row \n                     This option can be passed as many times as you like. In the above example the token will only be allowed to insert and update rows. \n                     You can also restrict permissions such that they can only be used within specific databases: \n                     datasette create-token root --database mydatabase insert-row \n                     The resulting token will only be able to insert rows, and only to tables in the  mydatabase  database. \n                     Finally, you can restrict permissions to individual resources - tables, SQL views and  named queries  - within a specific database: \n                     datasette create-token root --resource mydatabase mytable insert-row \n                     These options have short versions:  -a  for  --all ,  -d  for  --database  and  -r  for  --resource . \n                     You can add  --debug  to see a JSON representation of the token that has been created. Here's a full example: \n                     datasette create-token root \\\n    --secret mysecret \\\n    --all view-instance \\\n    --all view-table \\\n    --database docs view-query \\\n    --resource docs documents insert-row \\\n    --resource docs documents update-row \\\n    --debug \n                     This example outputs the following: \n                     dstok_.eJxFizEKgDAMRe_y5w4qYrFXERGxDkVsMI0uxbubdjFL8l_ez1jhwEQCA6Fjjxp90qtkuHawzdjYrh8MFobLxZ_wBH0_gtnAF-hpS5VfmF8D_lnd97lHqUJgLd6sls4H1qwlhA.nH_7RecYHj5qSzvjhMU95iy0Xlc\n\nDecoded:\n\n{\n  \"a\": \"root\",\n  \"token\": \"dstok\",\n  \"t\": 1670907246,\n  \"_r\": {\n    \"a\": [\n      \"vi\",\n      \"vt\"\n    ],\n    \"d\": {\n      \"docs\": [\n        \"vq\"\n      ]\n    },\n    \"r\": {\n      \"docs\": {\n        \"documents\": [\n          \"ir\",\n          \"ur\"\n        ]\n      }\n    }\n  }\n}", "breadcrumbs": "[\"Authentication and permissions\", \"API Tokens\", \"datasette create-token\"]", "references": "[]"}
{"id": "authentication:authentication-cli-create-token", "page": "authentication", "ref": "authentication-cli-create-token", "title": "datasette create-token", "content": "You can also create tokens on the command line using the  datasette create-token  command. \n                 This command takes one required argument - the ID of the actor to be associated with the created token. \n                 You can specify a  -e/--expires-after  option in seconds. If omitted, the token will never expire. \n                 The command will sign the token using the  DATASETTE_SECRET  environment variable, if available. You can also pass the secret using the  --secret  option. \n                 This means you can run the command locally to create tokens for use with a deployed Datasette instance, provided you know that instance's secret. \n                 To create a token for the  root  actor that will expire in one hour: \n                 datasette create-token root --expires-after 3600 \n                 To create a token that never expires using a specific secret: \n                 datasette create-token root --secret my-secret-goes-here", "breadcrumbs": "[\"Authentication and permissions\", \"API Tokens\"]", "references": "[]"}