How to rotate an InfluxDB 3 Core admin token

Rotating the InfluxDB 3 Core operator admin token replaces the _admin credential that can administer the whole server. Use it after exposure, staff changes, or scheduled secret rotation when the current operator token should stop authenticating.

The influxdb3 create token --admin --regenerate command requires the current operator token and asks for confirmation before returning the replacement token string. InfluxDB 3 Core stores only the hash and metadata, so the raw replacement token must go directly into a secret manager or private session.

Regeneration applies only to the operator admin token. Named admin tokens are rotated by creating a replacement named token and deleting the old named token after clients move, so confirm the token row is _admin before using the regeneration flow.

Related: How to create an InfluxDB 3 Core admin token
Related: How to check InfluxDB server health

Steps to rotate the InfluxDB 3 Core operator admin token:

  1. Set the current operator token for the CLI session. 
    $ export INFLUXDB3_AUTH_TOKEN='apiv3_0OLDTOKEN'

    Use the real current operator token in a private shell. Do not paste raw admin tokens into shared transcripts, tickets, screenshots, or committed scripts.

  2. Set the server URL when the CLI is not running on the Core host. 
    $ export INFLUXDB3_HOST_URL=http://localhost:8181

    Skip this when the CLI should use the default local listener at http://127.0.0.1:8181.

  3. List tokens and confirm the operator token row. 
    $ influxdb3 show tokens
+----------+--------+-----------+-------------------------+-------------+---------------------+------------+---------------------+--------+-------------+
| token_id | name   | hash      | created_at              | description | created_by_token_id | updated_at | updated_by_token_id | expiry | permissions |
+----------+--------+-----------+-------------------------+-------------+---------------------+------------+---------------------+--------+-------------+
| 0        | _admin | 72fbe1ca8 | 2026-06-20T04:09:44.504 |             |                     |            |                     |        | *:*:*       |
+----------+--------+-----------+-------------------------+-------------+---------------------+------------+---------------------+--------+-------------+

    The _admin row is the operator token. Do not use --regenerate for named admin tokens.

  4. Regenerate the operator token and confirm the prompt. 
    $ influxdb3 create token --admin --regenerate --format json
Are you sure you want to regenerate admin token? Enter 'yes' to confirm
yes
{
  "help_msg": "Store this token securely, as it will not be shown again. HTTP requests require the following header: \"Authorization: Bearer apiv3_0NEWTOKEN\"",
  "token": "apiv3_0NEWTOKEN"
}

    The previous operator token stops authenticating as soon as regeneration completes. Copy the real token value to the secret store before closing the terminal.

  5. Replace the old token in client secrets and automation.

    Update systemd environment files, container secrets, CI variables, scripts, and application secret stores that used the old operator token. Restart or redeploy clients that cache environment variables at process start.

  6. Set the replacement token for the current CLI session. 
    $ export INFLUXDB3_AUTH_TOKEN='apiv3_0NEWTOKEN'
  7. Verify that the replacement token can still administer tokens. 
    $ influxdb3 show tokens
+----------+--------+-----------+-------------------------+-------------+---------------------+-------------------------+---------------------+--------+-------------+
| token_id | name   | hash      | created_at              | description | created_by_token_id | updated_at              | updated_by_token_id | expiry | permissions |
+----------+--------+-----------+-------------------------+-------------+---------------------+-------------------------+---------------------+--------+-------------+
| 0        | _admin | 772df52db | 2026-06-20T04:09:44.504 |             |                     | 2026-06-20T04:09:44.659 | 0                   |        | *:*:*       |
+----------+--------+-----------+-------------------------+-------------+---------------------+-------------------------+---------------------+--------+-------------+

    The changed hash and populated updated_at value show that the operator token metadata was updated. The raw token string is not shown again.

  8. Confirm that the old token is rejected. 
    $ INFLUXDB3_AUTH_TOKEN='apiv3_0OLDTOKEN' influxdb3 show tokens
Show command failed: server responded with error [401 Unauthorized]: {"error": "the request was not authenticated"}