Managing Credentials

When user authentication is enabled, the TigerGraph system will execute a requested operation only if the requester provides credentials for a user who has the privilege to perform the requested operation.

The TigerGraph system offers two options for credentials.

  • Username and password pair.

  • API token: A unique 32-character string that can be used for REST++ requests. A token expires 1 month from the date of creation by default. Users can use their secrets or their username and password pair to generate a token.

The following set of commands are used to create and manage passwords and secrets.

GSQL Commands for Managing Credentials
DROP SECRET <secret1>

Like any other GSQL commands, the user must supply credentials to run these commands. In order to create a secret, the user must supply their password.


Users can change their own password with the ALTER PASSWORD command. If the user has the WRITE_USER privilege, they can change the password of another user.


If a username is not provided, the command changes the password of the current user. To change the password of another user, specify the username of the user whose password you wish to change:

Example: User changing his/her own password
Password: *******
New Password : ************
Re-enter Password : ************
Password has been changed.
Example: Admin changing another user’s password
tigergraph:GSQL > ALTER PASSWORD hermione
Password: *******
New Password : ************
Re-enter Password : ************
Password has been changed.

ACL passwords

Users have the option of setting an ACL password. When a user has an ACL password, operations that modify ACL privileges of queries owned by the user requires the ACL password. These operations include:

  • Changing the owner of a query

  • Modifying the ACL privileges on a query


Secrets are unique strings that serve as a user’s credentials in certain circumstances. A user can have multiple secret strings. Each secret is associated with one user and their role for one graph. If the role is revoked, the secret also becomes invalid.

Create a secret


Use the CREATE SECRET command to generate a secret for the current user and graph. It is optional to provide an alias for the secret.

The system will generate a random alias for the secret if the user does not provide an alias for that secret. Randomly generated aliases begin with AUTO_GENERATED_ALIAS_ and include a random 7-character string.

Required privilege

At least one of the database access privileges on the given graph: READ_DATA, CREATE_DATA, UPDATE_DATA, DELETE_DATA or EXECUTE_LOADINGJOB. The built-in queryreader role satisfies this requirement.

List secrets


Use SHOW SECRET to list all secrets of the current user. The secrets will be masked and only the first and last three characters of the secrets will be shown. The alias of the secret and the graph that the secret is associated with will also be listed:

    - Secret: s7s****3k5
      - Alias: HH
      - GraphName: Hogwarts
    - Secret: 75j****9i2
      - Alias: LL
      - GraphName: London

Drop a secret

DROP SECRET <secret>

Use the DROP SECRET command to drop a secret. Since a user can have multiple secrets, the secret to drop must be specified in the command. You can specify a secret either by the secret string itself or by its alias. If you drop a secret, the tokens associated with the secret also become invalid.