---
title: "Using an access policy token | Grafana Cloud documentation"
description: "How to get started using your Cloud Access Policy token."
---

> For a curated documentation index, see [llms.txt](/llms.txt). For the complete documentation index, see [llms-full.txt](/llms-full.txt).

# Using an access policy token

The main uses for Cloud Access Policy tokens are:

- To read data (metrics, logs, etc.) from a stack using a Grafana data source.
- To write data (metrics, logs, etc.) to a stack using Grafana Alloy.
- To interact with the [Grafana Cloud API](../../../../developer-resources/api-reference/cloud-api/).

To create an access policy and token, see these instructions: [Create access policies and tokens](../create-access-policies/).

### Creating a data source with a Grafana Cloud token in Grafana UI

Follow these steps to create or configure a data source in Grafana using a Cloud Access Policy token:

1. **Copy the token**: Start by copying the token associated with the service you are integrating (e.g., Loki, Prometheus, Tempo).
2. **Navigate to Connections**: In Grafana, open the left-side menu and select **Connections**.
3. **Select or Add a Data Source**: Use the filter to find the data source you want to add or update. When adding a new data source, Grafana will guide you to the configuration page for that source.
4. **Configure Authentication**:
   
   - Go to the **Settings** tab for the data source.
   - In the **Basic Auth** section, enter the required credentials:
     
     - For services like Loki, use the log tenant ID as the **User**.
     - Enter the Grafana Cloud token as the **Password**.
5. **Save and Test**: Click **Save & Test** to confirm the configuration. Grafana will verify the connection to ensure that it is correctly set up.

For further guidance and specific details, refer to the relevant integration documentation.

- [Alertmanager](/docs/grafana/latest/datasources/alertmanager/)
- [Graphite](/docs/grafana/latest/datasources/graphite/)
- [Loki](/docs/grafana/latest/datasources/loki/)
- [Prometheus](/docs/grafana/latest/datasources/prometheus/)
- [Tempo](/docs/grafana/latest/datasources/tempo/)

> Note
> 
> You can see specific configuration instructions for creating data sources based on Grafana Cloud Prometheus, Loki, Graphite, Tempo, or Alert Manager by signing into your Grafana Cloud account, choosing a stack, and selecting the given service.

### Creating a data source with a Grafana Cloud token using Terraform

You can provision a data source using a Terraform resource by providing a Cloud Access Policy token. Here is a sample Terraform configuration you can use as a base:

terraform ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```terraform
// Provision a Cloud Access Policy
resource "grafana_cloud_access_policy" "test" {
  provider      = grafana
  region        = "eu"
  name          = "terraform-test-policy-assets"
  display_name  = "Terraform Test Policy ASSETS"
  scopes        = ["metrics:read", "logs:read", "metrics:write", "logs:write"]

  realm {
    type       = "org"
    identifier = data.grafana_cloud_organization.current.id

    label_policy {
      selector = "{namespace=\"default\"}"
    }
  }
}

// Provision a Cloud Access Policy token
resource "grafana_cloud_access_policy_token" "test" {
  region           = "eu"
  access_policy_id = grafana_cloud_access_policy.test.policy_id
  name             = "my-policy-token"
  display_name     = "My Policy Token"
  expires_at       = "2024-01-01T00:00:00Z"
}

# Provision a datasource using the access policy token we just made
resource "grafana_data_source" "prometheus" {
  provider            = grafana
  type                = "prometheus"
  name                = "mimir"
  url                 = "https://prometheus-us-central1.grafana.net/api/prom"
  basic_auth_enabled  = true
  basic_auth_username = "740141"

  json_data_encoded = jsonencode({
    httpMethod        = "POST",
    tokenName         = "terraform-test-policy-assets",
    prometheusType    = "Mimir",
    prometheusVersion = "2.4.0"
  })

  secure_json_data_encoded = jsonencode({
    basicAuthPassword = grafana_cloud_access_policy_token.test.token
  })
}
```

## Use the token to authenticate Grafana Cloud API requests

To use the [Grafana Cloud API](/docs/grafana-cloud/developer-resources/api-reference/cloud-api/), authenticate requests with an access policy token. Include the token in the `Authorization` header for all requests:

http ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```http
GET https://grafana.com/api/instances/<STACK_SLUG>/plugins HTTP/1.1
Accept: application/json
Authorization: Bearer <CLOUD ACCESS POLICY TOKEN>
```

Requests to the Grafana Cloud API are authenticated using the `Authorization` header:

Bash ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```bash
Authorization: Bearer <CLOUD ACCESS POLICY TOKEN>
```