Telflo
Deployment

Tokens & security

Manage the install token that authenticates a fleet's collectors.

Every fleet has an install token that authenticates its collectors to Telflo over OpAMP. The token is embedded in the install bundles you download, so a collector installed from those files proves it belongs to the fleet.

Expiry

You choose a token expiry when you create the fleet: Never, 180 days, 1 year, or 2 years. The fleet detail page shows the active token and when it expires.

Rotate a token

Rotating issues a new token and supersedes the old one. Rotate when:

  • The token is approaching expiry.
  • You want to refresh credentials on a schedule.

After rotating, collectors need install files that carry the new token — re-download the bundle and update existing hosts as needed.

Revoke a token

Revoking invalidates a token immediately. Revoke when a token may have been exposed. Collectors relying on a revoked token can no longer authenticate to the fleet until they're reinstalled with a valid token.

Good practice

  • Keep tokens out of source control and shared docs — they're credentials.
  • Prefer a bounded expiry over Never for long-lived fleets, and rotate periodically.
  • Use the Vault for secrets inside your configurations (API keys, backend credentials) so they're never embedded in the YAML you publish.

Configuration drift

Understand instances whose running config doesn't match what they were assigned.

Overview

What the Telflo AI assistant can do and how to use it.

On this page

ExpiryRotate a tokenRevoke a tokenGood practice