Create Tokens() understanding

Create database token:

const databaseToken = rootClient.query(
      database: q.Database("database name"),
      role: 'admin',

Then i’am create user token with (client using databaseToken):

      instance: q.Ref(q.Collection('users'), '308254373888158659'),
      ttl: q.TimeAdd(q.Now(), 2, 'days'),

Then i doing requests with received token (i am create client instance using this token) and want get q.CurrentIdentity(), but server return 401 ‘Unauthorized’.
The questions is:
“Why it not work?” or
“Cases when token contain identity?” or
“What means instance in Create params_object?” and
“Are there alternatives to using the Login function to log in and get restricted access?”

The code you posted that creates the admin key is specifying a child database. When you run the query that creates the token, have you switched to using the key’s secret? If not, the token won’t have access to the child database, it would only have access in the current database, and by default, tokens have no privileges until you grant them with an ABAC role.

I’m not sure that I understand your “Cases when token contain identity?” question. A key (that your first query created) is identity-less. It’s like have the root/administrator password to your computer. If you have those credentials, you can log in, but the system can’t tell if it’s you or someone else with access to those credentials. A “token” is identity-based. By using the Login function, you need to provide identity-specific credentials to get a token.

You are already using the only viable alternative to the Login function, by directly creating a token for a specific identity – that’s what the instance field points to; Fauna used to call documents “instances” prior to API 2.7, but we haven’t changed that field name as doing so would invalidate all existing tokens.

Thank you for reply, this topic may be deleted, it’s my fault, I mixed up the tokens and tried to create a user token in the database where there is no such user. But in this case error more expected result, it’s very strange to get token for for reference that not exist.

const instanceKey = await databaseClient.query(
        // You can get key for any unexists ref
        instance: q.Ref(q.Collection('users'), 'any_similar_to_id'),
        ttl: q.TimeAdd(q.Now(), 2, 'days'),

Don’t worry about deleting the topic! The question and answers are still valuable for the extra context and clarification for the community :slight_smile:

Regarding the instance for Tokens, it is true that you can provide a Reference to nothing. A Reference is just that, a reference, or pointer. Fauna doesn’t know what it is until you try to Get the Reference.

To that end, ABAC predicate rules should behave as you expect: ABAC checks will fail if they rely on the contents of the Ref, which is the same thing that would happen if the Ref itself was valid, but the data inside failed the predicate.