Creating an access token and choosing a role for it

Chris Biscardi
InstructorChris Biscardi
Share this video with your friends

Social Share Links

Send Tweet
Published 5 years ago
Updated 3 years ago

FaunaDB supports access keys with four sets of permissions, or roles. You need an access token to use a language driver like the Go driver to access FaunaDB. It is not exposed by default. The four roles are: Admin, Server, Server-ReadOnly, and Client. We'll go over what these roles are and how to choose one for your use case.

Instructor: [00:00] Here we are in the FaunaDB console. If we go to our database page and go to security, we'll be able to create a new access key. We need a new key to access the database from any of our client drivers. Note that we get to choose the database, in this case testDemo. It's possible that there could be nested databases here, in which case we'd have another option.

[00:22] Then we have a choice from four roles. Admin is full privileges. You probably don't want this. The next two interesting ones are server and server-readOnly. Server allows us to do destructive operations to the database we've selected, while server-readOnly only allows us to read them. These are good for lambdas or other service-based programming environments.

[00:41] Finally, we have client. Client only allows us to read specially marked public data. For example, because I have a lambda where I need to insert documents, I chose the server role. If my lambda only made queries to read, I could use the readOnly role.

[00:56] We can give the key a keyname and assign it a priority. A priority is a number between 1 and 500 that allows us to specify how important this key is, compared to all of the other keys. This importance is used to judge the priority of scheduling resources for each key. Note that this applies to high levels of saturation. We'll save our key.

[01:15] We can see our key is secret right here. As the notice says, it won't be displayed again. We have to go save it in 1Password or other password management solution, like Vault. We can see the key name in the ID, the role of the key and the database it's associated with. We can also revoke our key, which we'll do now.

[01:35] Note that now we've revoked our key and we have no keys left. We'll need to create a new key if we wanted to use it in one of the other client drivers.

~ 13 minutes ago

Member comments are a way for members to communicate, interact, and ask questions about a lesson.

The instructor or someone from the community might respond to your question Here are a few basic guidelines to commenting on

Be on-Topic

Comments are for discussing a lesson. If you're having a general issue with the website functionality, please contact us at

Avoid meta-discussion

  • This was great!
  • This was horrible!
  • I didn't like this because it didn't match my skill level.
  • +1 It will likely be deleted as spam.

Code Problems?

Should be accompanied by code! Codesandbox or Stackblitz provide a way to share code and discuss it in context

Details and Context

Vague question? Vague answer. Any details and context you can provide will lure more interesting answers!

Markdown supported.
Become a member to join the discussionEnroll Today