Skip to content

Document use-hashed-tokens configuration option #6585

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
gwossum wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Document use-hashed-tokens configuration option #6585

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
fd2be56
Document use-hashed-tokens configuration option
gwossum Dec 2, 2025
a1abc31
Update documentation for use-hashed-tokens option
gwossum Dec 2, 2025
2b1ccf0
Merge branch 'master' into gw/use-hashed-tokens
sanderson Dec 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 56 additions & 0 deletions content/influxdb/v2/reference/config-options.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -194,6 +194,7 @@ To configure InfluxDB, use the following configuration options when starting the
- [tls-strict-ciphers](#tls-strict-ciphers)
- [tracing-type](#tracing-type)
- [ui-disabled](#ui-disabled)
- [use-hashed-tokens](#use-hashed-tokens)
- [vault-addr](#vault-addr)
- [vault-cacert](#vault-cacert)
- [vault-capath](#vault-capath)
Expand Down Expand Up @@ -3470,6 +3471,61 @@ ui-disabled = true

---

### use-hashed-tokens
Enable storing hashed API tokens on disk. Hashed tokens are disabled by default in version 2.8. Hashed tokens will be enabled by default in a future version.

Storing hashed tokens increases security by storing API tokens as hashes on disk. When enabled, all unhashed tokens are converted to hashed tokens on every startup leaving no unhashed tokens on disk. Newly created tokens are also stored as hashes. Lost tokens must be replaced when token hashing is enabled because the hashing prevents them from being recovered.

If token hashing is disabled after being enabled, any hashed tokens on disk remain as hashed tokens. Newly created tokens are stored unhashed when token hashing is disabled. Hashed tokens on disk remain valid and useable even with token hashing disabled.

Hashed token support is available in versions 2.8.0 and newer. Downgrading to older versions is not recommended after enabling hashed tokens because the downgrade process deletes all stored hashed tokens. All hashed tokens must be replaced on a downgrade after hashed tokens are enabled.

**Default:** `false`

| influxd flag | Environment variable | Configuration key |
| :-------------- | :-------------------- | :---------------- |
| `--use-hashed-tokens` | `INFLUXD_USE_HASHED_TOKENS` | `use-hashed-tokens` |

###### influxd flag
<!--pytest.mark.skip-->

```sh
influxd --use-hashed-tokens
```

###### Environment variable
```sh
export INFLUXD_USE_HASHED_TOKENS=true
```

###### Configuration file
{{< code-tabs-wrapper >}}
{{% code-tabs %}}
[YAML](#)
[TOML](#)
[JSON](#)
{{% /code-tabs %}}
{{% code-tab-content %}}
```yml
use-hashed-tokens: true
```
{{% /code-tab-content %}}
{{% code-tab-content %}}
```toml
use-hashed-tokens = true
```
{{% /code-tab-content %}}
{{% code-tab-content %}}
```json
{
"use-hashed-tokens": true
}
```
{{% /code-tab-content %}}
{{< /code-tabs-wrapper >}}

---

### vault-addr
Specifies the address of the Vault server expressed as a URL and port.
For example: `https://127.0.0.1:8200/`.
Expand Down