> ## Documentation Index > Fetch the complete documentation index at: https://docs.turso.tech/llms.txt > Use this file to discover all available pages before exploring further. # Platform Tokens Create tokens for a single database or all databases in a group using the CLI: ```bash theme={null} # Token for a single database turso db tokens create # Token for all databases in a group turso group tokens create ``` You can control token scope, permissions, and expiration: | Flag | Description | | --------------------- | ------------------------------------------------------------------------------------------------ | | `-r`, `--read-only` | Create a read-only token (queries only, no writes) | | `-p`, `--permissions` | Set [fine-grained permissions](/sdk/authorization/fine-grained-permissions) per table and action | | `-e`, `--expiration` | Set token expiration (`never`, `7d`, `30d`, etc.) | ```bash Read-only token theme={null} turso db tokens create mydb --read-only ``` ```bash Token with 7-day expiration theme={null} turso db tokens create mydb --expiration 7d ``` ```bash Fine-grained permissions theme={null} turso db tokens create mydb \ -p all:data_read \ -p comments:data_add,data_update ``` ```bash Combined scoping theme={null} turso db tokens create mydb \ --read-only \ --expiration 7d ``` You can also create tokens using the [Platform API](/api-reference/databases/create-token). ## Invalidating Tokens You can invalidate all existing tokens for a database or group, which rotates the signing keys: ```bash theme={null} # Invalidate all tokens for a database turso db tokens invalidate # Invalidate all tokens for a group (and all its databases) turso group tokens invalidate ```