From fd2be56f24259dadaa9929f14ec5f17f36fd7720 Mon Sep 17 00:00:00 2001
From: Geoffrey Wossum <gwossum@influxdata.com>
Date: Tue, 2 Dec 2025 15:19:00 -0600
Subject: [PATCH 1/2] Document use-hashed-tokens configuration option

Added documentation for the use-hashed-tokens option, including its benefits, default value, and configuration methods.
---
 .../influxdb/v2/reference/config-options.md   | 56 +++++++++++++++++++
 1 file changed, 56 insertions(+)

diff --git a/content/influxdb/v2/reference/config-options.md b/content/influxdb/v2/reference/config-options.md
index 4f639b6abc..6502e70422 100644
--- a/content/influxdb/v2/reference/config-options.md
+++ b/content/influxdb/v2/reference/config-options.md
@@ -194,6 +194,7 @@ To configure InfluxDB, use the following configuration options when starting the
 - [tls-strict-ciphers](#tls-strict-ciphers)
 - [tracing-type](#tracing-type)
 - [ui-disabled](#ui-disabled)
+- [use-hashed-tokens](#use-hashed-tokens)
 - [vault-addr](#vault-addr)
 - [vault-cacert](#vault-cacert)
 - [vault-capath](#vault-capath)
@@ -3470,6 +3471,61 @@ ui-disabled = true
 
 ---
 
+### use-hashed-tokens
+Enable storing hashed API tokens on disk. Hashed tokens are disabled by default.
+
+Storing hashed tokens increases security by storing API tokens as hashes on disk. When enabled, all unhashed tokens are converted to hashed tokens on every startup leaving no unhashed tokens on disk. Newly created tokens are also stored as hashes. Lost tokens must be replaced when token hashing is enabled because the hashing prevents them from being recovered.
+
+If token hashing is disabled after being enabled, any hashed tokens on disk remain as hashed tokens. Newly created tokens are stored unhashed when token hashing is disabled. Hashed tokens on disk remain valid and useable even with token hashing disabled.
+
+Hashed token support is available in versions 2.8.0 and newer. Downgrading to older versions is not recommended after enabling hashed tokens because the downgrade process deletes all stored hashed tokens. All hashed tokens must be replaced on a downgrade after hashed tokens are enabled.
+
+**Default:** `false`
+
+| influxd flag    | Environment variable  | Configuration key |
+| :-------------- | :-------------------- | :---------------- |
+| `--use-hashed-tokens` | `INFLUXD_USE_HASHED_TOKENS` | `use-hashed-tokens`     |
+
+###### influxd flag
+<!--pytest.mark.skip-->
+
+```sh
+influxd --use-hashed-tokens
+```
+
+###### Environment variable
+```sh
+export INFLUXD_USE_HASHED_TOKENS=true
+```
+
+###### Configuration file
+{{< code-tabs-wrapper >}}
+{{% code-tabs %}}
+[YAML](#)
+[TOML](#)
+[JSON](#)
+{{% /code-tabs %}}
+{{% code-tab-content %}}
+```yml
+use-hashed-tokens: true
+```
+{{% /code-tab-content %}}
+{{% code-tab-content %}}
+```toml
+use-hashed-tokens = true
+```
+{{% /code-tab-content %}}
+{{% code-tab-content %}}
+```json
+{
+  "use-hashed-tokens": true
+}
+```
+{{% /code-tab-content %}}
+{{< /code-tabs-wrapper >}}
+
+---
+
 ### vault-addr
 Specifies the address of the Vault server expressed as a URL and port.
 For example: `https://127.0.0.1:8200/`.

From a1abc318d762911573ff62a532ca7a090b07c586 Mon Sep 17 00:00:00 2001
From: Geoffrey Wossum <gwossum@influxdata.com>
Date: Tue, 2 Dec 2025 16:14:06 -0600
Subject: [PATCH 2/2] Update documentation for use-hashed-tokens option

Clarify default behavior for hashed API tokens in version 2.8 and future versions.
---
 content/influxdb/v2/reference/config-options.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/influxdb/v2/reference/config-options.md b/content/influxdb/v2/reference/config-options.md
index 6502e70422..5909d50e04 100644
--- a/content/influxdb/v2/reference/config-options.md
+++ b/content/influxdb/v2/reference/config-options.md
@@ -3472,7 +3472,7 @@ ui-disabled = true
 ---
 
 ### use-hashed-tokens
-Enable storing hashed API tokens on disk. Hashed tokens are disabled by default.
+Enable storing hashed API tokens on disk. Hashed tokens are disabled by default in version 2.8. Hashed tokens will be enabled by default in a future version.
 
 Storing hashed tokens increases security by storing API tokens as hashes on disk. When enabled, all unhashed tokens are converted to hashed tokens on every startup leaving no unhashed tokens on disk. Newly created tokens are also stored as hashes. Lost tokens must be replaced when token hashing is enabled because the hashing prevents them from being recovered.