Skip to content

Rotate a tenant token

A tenant API token is what every collector + the browser session use to talk to the cloud. Rotate when:

  • The token has leaked (commit, screenshot, Slack).
  • A collector you can no longer reach is still active (terminate that one instead via DELETE /v1/collectors/{id} — full rotation only when every collector is suspect).
  • You're decommissioning the tenant.

Steps

bash
ssh ubuntu@kilasec.com
cd /opt/agentfw && . .venv/bin/activate

# 1. Generate a new token for the tenant.
python -m cloud.admin_cli tenants rotate <tenant-id>
# → prints  new token: agt_xxxx...

# 2. Re-issue invite links if you want the new browser sessions to use the new token.
python -m cloud.admin_cli invites create <tenant-id> --label "after rotation"

The old token is invalidated immediately. Every collector that's still using it will start getting 401 on its next ingest call and stop until re-enrolled.

To re-enroll collectors without a service window: do them one at a time, generate a fresh enrollment code per collector, run the installer on each host.

What's not affected

  • Audit history.
  • Policy rules.
  • Identity overrides.

→ Compromise of just a collector token (not the tenant token) is recoverable without rotation — see Collector is offline's "is the collector's token revoked" section.

Documentation for kilasec — the AI Agent Firewall.