Grafana Error Guide: InfluxDB 'unauthorized' — Bad Token, Org or Bucket
Fix Grafana InfluxDB 'unauthorized' data source errors — correct the API token, org and bucket for InfluxDB 2.x/Flux, fix v1 user/password and query language mismatches, and test access.
- #grafana
- #troubleshooting
- #errors
- #influxdb
Overview
When Grafana queries InfluxDB and the credentials or org/bucket are wrong, InfluxDB rejects the request with 401 unauthorized. The most common trap is a mismatch between the InfluxDB version and the data-source config: InfluxDB 2.x uses an API token plus org and bucket (Flux), while 1.x uses username/password and a database (InfluxQL). Configure one as the other and every query returns unauthorized.
The literal errors you will see:
InfluxDB Error: unauthorized access
{"code":"unauthorized","message":"unauthorized access"}
error authorizing query: ... unauthorized: read:orgs/.../buckets is unauthorized
It occurs on “Save & test” of the data source and on every panel query — panels show “unauthorized” and no data.
Symptoms
- Data source “Save & test” reports
unauthorized/401. - All InfluxDB panels show no data with an unauthorized error.
- Worked before a token rotation or an InfluxDB 1.x→2.x upgrade.
curlto InfluxDB with the same token returns401.
curl -s -o /dev/null -w "%{http_code}\n" \
-H "Authorization: Token $INFLUX_TOKEN" \
"http://influxdb:8086/api/v2/query?org=myorg" -d ''
401
Common Root Causes
1. Wrong or expired API token (InfluxDB 2.x)
The token in the data source is mistyped, revoked, or rotated. InfluxDB 2.x expects Authorization: Token <token>.
curl -s -H "Authorization: Token $INFLUX_TOKEN" \
"http://influxdb:8086/api/v2/buckets?org=myorg" | jq '.buckets[].name' 2>/dev/null
{"code":"unauthorized","message":"unauthorized access"}
2. Token lacks permission for the org/bucket
A token scoped to a different org, or without read permission on the target bucket, authenticates but isn’t authorized for the query.
3. Org or bucket name wrong / mismatched
The data source’s org or bucket (or defaultBucket in Flux) doesn’t match InfluxDB, so the read is unauthorized.
4. Version/query-language mismatch
Data source set to Flux (2.x) but pointed at a 1.x server (or vice-versa: InfluxQL config with a v2 token). The auth model differs, yielding 401.
# Grafana provisioned data source (InfluxDB 2.x / Flux)
apiVersion: 1
datasources:
- name: InfluxDB
type: influxdb
access: proxy
url: http://influxdb:8086
jsonData:
version: Flux
organization: myorg
defaultBucket: metrics
secureJsonData:
token: ${INFLUX_TOKEN}
5. v1 credentials wrong (InfluxDB 1.x)
For 1.x/InfluxQL, a wrong user/password or a database the user can’t read returns 401.
Diagnostic Workflow
Step 1: Reproduce auth outside Grafana
# InfluxDB 2.x
curl -s -H "Authorization: Token $INFLUX_TOKEN" \
"http://influxdb:8086/api/v2/buckets?org=myorg" | jq '.buckets[]?.name'
# InfluxDB 1.x
curl -s -G "http://influxdb:8086/query" \
--data-urlencode "q=SHOW DATABASES" -u "$USER:$PASS"
Step 2: Confirm which InfluxDB version you’re on
curl -s http://influxdb:8086/health | jq '{name,version,status}'
Match the data source version (Flux vs InfluxQL) to the server.
Step 3: Verify org and bucket exist and the token can read them
curl -s -H "Authorization: Token $INFLUX_TOKEN" \
"http://influxdb:8086/api/v2/authorizations" | jq '.authorizations[].permissions' 2>/dev/null
Step 4: Check the Grafana data-source config
grep -RiE "organization|defaultBucket|version|url" /etc/grafana/provisioning/datasources/
journalctl -u grafana-server --no-pager | grep -i influx | tail
Step 5: Fix and re-test via the Grafana API
# After correcting token/org/bucket, test the datasource
curl -s -H "Authorization: Bearer $GRAFANA_TOKEN" \
"http://localhost:3000/api/datasources/uid/<uid>/health" | jq
Example Root Cause Analysis
After migrating from InfluxDB 1.8 to 2.7, every InfluxDB panel shows “unauthorized”. The data source still had version: InfluxQL with a username/password. A direct check:
curl -s http://influxdb:8086/health | jq '{version,status}'
{"version":"2.7.4","status":"pass"}
The server is 2.x (token/org/bucket auth), but Grafana is sending 1.x-style basic auth, so InfluxDB returns 401 unauthorized. Creating a read token for the org/bucket and switching the data source to Flux fixes it:
jsonData:
version: Flux
organization: myorg
defaultBucket: metrics
secureJsonData:
token: ${INFLUX_TOKEN}
Re-test:
curl -s -H "Authorization: Bearer $GRAFANA_TOKEN" \
"http://localhost:3000/api/datasources/uid/<uid>/health" | jq '.status,.message'
"OK"
"data source is working"
Root cause: an InfluxDB version/auth-model mismatch after the upgrade — the config still spoke InfluxQL/basic-auth to a token-based v2 server.
Prevention Best Practices
- Match the data-source
version(Flux vs InfluxQL) to the InfluxDB server version; re-check after any upgrade. - Use org/bucket-scoped read tokens for 2.x, stored in
secureJsonData.token(never in plain jsonData or Git). - After token rotation, update the data source (or reference an env var/secret) and re-run the health check.
- Verify the token’s permissions cover the exact org and bucket the dashboards query.
- Provision data sources as code so credentials and version settings are consistent across environments.
- See more Grafana guides.
Quick Command Reference
# Which InfluxDB version?
curl -s http://influxdb:8086/health | jq '{version,status}'
# 2.x: does the token work for the org?
curl -s -H "Authorization: Token $INFLUX_TOKEN" \
"http://influxdb:8086/api/v2/buckets?org=myorg" | jq '.buckets[]?.name'
# 1.x: user/password + database
curl -s -G "http://influxdb:8086/query" \
--data-urlencode "q=SHOW DATABASES" -u "$USER:$PASS"
# Grafana data-source config + logs
grep -RiE "organization|defaultBucket|version" /etc/grafana/provisioning/datasources/
journalctl -u grafana-server | grep -i influx | tail
# Test the data source via Grafana
curl -s -H "Authorization: Bearer $GRAFANA_TOKEN" \
"http://localhost:3000/api/datasources/uid/<uid>/health" | jq
Conclusion
An InfluxDB unauthorized in Grafana is a credential/scope failure at the data source. Typical root causes:
- A wrong or expired API token (2.x) —
Authorization: Tokenrejected. - A token lacking permission for the target org/bucket.
- A mismatched org or bucket name in the data source.
- A version/query-language mismatch (Flux vs InfluxQL) after an upgrade.
- Wrong v1 username/password or an unreadable database (1.x).
Reproduce the auth with curl outside Grafana and confirm the server version first — most “unauthorized” cases are a token or a Flux-vs-InfluxQL mismatch, not Grafana itself.
Download the Free 500-Prompt DevOps AI Toolkit
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.