The Token collection is a native collection of token documents. Tokens work with roles to grant identity-based access to a database. Documents in this collection have an immutable, Fauna-defined structure. An identity may have multiple tokens that can access multiple devices simultaneously.

There are two ways to create a token. When an identity is successfully authenticated by Credential.login() the method returns a Token and the Token.create() method. Use the create() method when identity-based access is required, but authentication is unnecessary or handled outside of Fauna.

By itself, a token does not authorize any resource privileges to its corresponding identity. After Credential.login() creates a token, it is used to connect to Fauna and make queries on behalf of the identity. The identity Credential specify a Role. The Role document configures the membership and the privileges authorized to the identity. See the Role collection for more information on configuring resource authorization.

A secret field is returned at token creation. This is a password-equivalent field. The caller must retrieve and store the secret at creation as the field isn’t accessible later. Fauna cannot recover a secret that is discarded or lost. So, secure secrets with the same care and attention as any password.

At creation time, a caller can set a time-to-live (ttl) value, the valid duration of the token. If ttl isn’t set, its default value is null, which causes the document to persist indefinitely or until deleted.