Skip to content
DevOps AI ToolKit
Newsletter
All guides
AI for Grafana By James Joyner IV · · 9 min read

Grafana Error Guide: InfluxDB 'unauthorized' — Bad Token, Org or Bucket

Fix Grafana InfluxDB 'unauthorized' data source errors — correct the API token, org and bucket for InfluxDB 2.x/Flux, fix v1 user/password and query language mismatches, and test access.

  • #grafana
  • #troubleshooting
  • #errors
  • #influxdb

Overview

When Grafana queries InfluxDB and the credentials or org/bucket are wrong, InfluxDB rejects the request with 401 unauthorized. The most common trap is a mismatch between the InfluxDB version and the data-source config: InfluxDB 2.x uses an API token plus org and bucket (Flux), while 1.x uses username/password and a database (InfluxQL). Configure one as the other and every query returns unauthorized.

The literal errors you will see:

InfluxDB Error: unauthorized access
{"code":"unauthorized","message":"unauthorized access"}
error authorizing query: ... unauthorized: read:orgs/.../buckets is unauthorized

It occurs on “Save & test” of the data source and on every panel query — panels show “unauthorized” and no data.

Symptoms

  • Data source “Save & test” reports unauthorized / 401.
  • All InfluxDB panels show no data with an unauthorized error.
  • Worked before a token rotation or an InfluxDB 1.x→2.x upgrade.
  • curl to InfluxDB with the same token returns 401.
curl -s -o /dev/null -w "%{http_code}\n" \
  -H "Authorization: Token $INFLUX_TOKEN" \
  "http://influxdb:8086/api/v2/query?org=myorg" -d ''
401

Common Root Causes

1. Wrong or expired API token (InfluxDB 2.x)

The token in the data source is mistyped, revoked, or rotated. InfluxDB 2.x expects Authorization: Token <token>.

curl -s -H "Authorization: Token $INFLUX_TOKEN" \
  "http://influxdb:8086/api/v2/buckets?org=myorg" | jq '.buckets[].name' 2>/dev/null
{"code":"unauthorized","message":"unauthorized access"}

2. Token lacks permission for the org/bucket

A token scoped to a different org, or without read permission on the target bucket, authenticates but isn’t authorized for the query.

3. Org or bucket name wrong / mismatched

The data source’s org or bucket (or defaultBucket in Flux) doesn’t match InfluxDB, so the read is unauthorized.

4. Version/query-language mismatch

Data source set to Flux (2.x) but pointed at a 1.x server (or vice-versa: InfluxQL config with a v2 token). The auth model differs, yielding 401.

# Grafana provisioned data source (InfluxDB 2.x / Flux)
apiVersion: 1
datasources:
  - name: InfluxDB
    type: influxdb
    access: proxy
    url: http://influxdb:8086
    jsonData:
      version: Flux
      organization: myorg
      defaultBucket: metrics
    secureJsonData:
      token: ${INFLUX_TOKEN}

5. v1 credentials wrong (InfluxDB 1.x)

For 1.x/InfluxQL, a wrong user/password or a database the user can’t read returns 401.

Diagnostic Workflow

Step 1: Reproduce auth outside Grafana

# InfluxDB 2.x
curl -s -H "Authorization: Token $INFLUX_TOKEN" \
  "http://influxdb:8086/api/v2/buckets?org=myorg" | jq '.buckets[]?.name'
# InfluxDB 1.x
curl -s -G "http://influxdb:8086/query" \
  --data-urlencode "q=SHOW DATABASES" -u "$USER:$PASS"

Step 2: Confirm which InfluxDB version you’re on

curl -s http://influxdb:8086/health | jq '{name,version,status}'

Match the data source version (Flux vs InfluxQL) to the server.

Step 3: Verify org and bucket exist and the token can read them

curl -s -H "Authorization: Token $INFLUX_TOKEN" \
  "http://influxdb:8086/api/v2/authorizations" | jq '.authorizations[].permissions' 2>/dev/null

Step 4: Check the Grafana data-source config

grep -RiE "organization|defaultBucket|version|url" /etc/grafana/provisioning/datasources/
journalctl -u grafana-server --no-pager | grep -i influx | tail

Step 5: Fix and re-test via the Grafana API

# After correcting token/org/bucket, test the datasource
curl -s -H "Authorization: Bearer $GRAFANA_TOKEN" \
  "http://localhost:3000/api/datasources/uid/<uid>/health" | jq

Example Root Cause Analysis

After migrating from InfluxDB 1.8 to 2.7, every InfluxDB panel shows “unauthorized”. The data source still had version: InfluxQL with a username/password. A direct check:

curl -s http://influxdb:8086/health | jq '{version,status}'
{"version":"2.7.4","status":"pass"}

The server is 2.x (token/org/bucket auth), but Grafana is sending 1.x-style basic auth, so InfluxDB returns 401 unauthorized. Creating a read token for the org/bucket and switching the data source to Flux fixes it:

jsonData:
  version: Flux
  organization: myorg
  defaultBucket: metrics
secureJsonData:
  token: ${INFLUX_TOKEN}

Re-test:

curl -s -H "Authorization: Bearer $GRAFANA_TOKEN" \
  "http://localhost:3000/api/datasources/uid/<uid>/health" | jq '.status,.message'
"OK"
"data source is working"

Root cause: an InfluxDB version/auth-model mismatch after the upgrade — the config still spoke InfluxQL/basic-auth to a token-based v2 server.

Prevention Best Practices

  • Match the data-source version (Flux vs InfluxQL) to the InfluxDB server version; re-check after any upgrade.
  • Use org/bucket-scoped read tokens for 2.x, stored in secureJsonData.token (never in plain jsonData or Git).
  • After token rotation, update the data source (or reference an env var/secret) and re-run the health check.
  • Verify the token’s permissions cover the exact org and bucket the dashboards query.
  • Provision data sources as code so credentials and version settings are consistent across environments.
  • See more Grafana guides.

Quick Command Reference

# Which InfluxDB version?
curl -s http://influxdb:8086/health | jq '{version,status}'

# 2.x: does the token work for the org?
curl -s -H "Authorization: Token $INFLUX_TOKEN" \
  "http://influxdb:8086/api/v2/buckets?org=myorg" | jq '.buckets[]?.name'

# 1.x: user/password + database
curl -s -G "http://influxdb:8086/query" \
  --data-urlencode "q=SHOW DATABASES" -u "$USER:$PASS"

# Grafana data-source config + logs
grep -RiE "organization|defaultBucket|version" /etc/grafana/provisioning/datasources/
journalctl -u grafana-server | grep -i influx | tail

# Test the data source via Grafana
curl -s -H "Authorization: Bearer $GRAFANA_TOKEN" \
  "http://localhost:3000/api/datasources/uid/<uid>/health" | jq

Conclusion

An InfluxDB unauthorized in Grafana is a credential/scope failure at the data source. Typical root causes:

  1. A wrong or expired API token (2.x) — Authorization: Token rejected.
  2. A token lacking permission for the target org/bucket.
  3. A mismatched org or bucket name in the data source.
  4. A version/query-language mismatch (Flux vs InfluxQL) after an upgrade.
  5. Wrong v1 username/password or an unreadable database (1.x).

Reproduce the auth with curl outside Grafana and confirm the server version first — most “unauthorized” cases are a token or a Flux-vs-InfluxQL mismatch, not Grafana itself.

Free download · 368-page PDF

Download the Free 500-Prompt DevOps AI Toolkit

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.