Telflo
Fleet management

Tokens & security

Manage the install token that authenticates a fleet's collectors.

Each fleet has an install token that authenticates its collectors to Telflo over OpAMP. The token is included in the supervisor bundle, so a collector installed from the bundle proves it belongs to the fleet.

Expiry

You set the token expiry when you create the fleet: Never, 180 days, 1 year, or 2 years. The fleet detail page shows the active token and its expiry on the Tokens tab.

Rotate a token

Rotating issues a new token and supersedes the old one. Rotate the token when it is approaching expiry, or on a regular schedule. After rotating, collectors need a bundle that carries the new token. Re-deploy the bundle and update existing hosts.

Revoke a token

Revoking invalidates a token immediately. Revoke a token that may be exposed. A collector using a revoked token can no longer authenticate until it is reinstalled with a valid token.

Recommendations

  • Keep tokens and Quick Deploy URLs out of source control and shared documents. They are credentials.
  • Set a bounded expiry rather than Never for long-lived fleets, and rotate on a schedule.
  • Use the vault for secrets inside your configurations, such as backend credentials, so they are not embedded in the YAML you publish.

Configuration drift

Instances whose running configuration version does not match the version assigned to them.

Overview

What the Telflo AI assistant does and how to use it.

On this page

ExpiryRotate a tokenRevoke a tokenRecommendations