Skip to main content
Create tokens for a single database or all databases in a group using the CLI: 
# Token for a single database
turso db tokens create <database-name>

# Token for all databases in a group
turso group tokens create <group-name>
You can control token scope and expiration:
FlagDescription
-r, --read-onlyCreate a read-only token (queries only, no writes)
-e, --expirationSet token expiration (never, 7d, 30d, etc.)
--attachAllow ATTACH access to additional databases
turso db tokens create mydb --read-only
You can also create tokens using the Platform API.

Invalidating Tokens

You can invalidate all existing tokens for a database or group, which rotates the signing keys: 
# Invalidate all tokens for a database
turso db tokens invalidate <database-name>

# Invalidate all tokens for a group (and all its databases)
turso group tokens invalidate <group-name>