Rotate a tenant token
A tenant API token is what every collector + the browser session use to talk to the cloud. Rotate when:
- The token has leaked (commit, screenshot, Slack).
- A collector you can no longer reach is still active (terminate that one instead via
DELETE /v1/collectors/{id}— full rotation only when every collector is suspect). - You're decommissioning the tenant.
Steps
bash
ssh ubuntu@kilasec.com
cd /opt/agentfw && . .venv/bin/activate
# 1. Generate a new token for the tenant.
python -m cloud.admin_cli tenants rotate <tenant-id>
# → prints new token: agt_xxxx...
# 2. Re-issue invite links if you want the new browser sessions to use the new token.
python -m cloud.admin_cli invites create <tenant-id> --label "after rotation"The old token is invalidated immediately. Every collector that's still using it will start getting 401 on its next ingest call and stop until re-enrolled.
To re-enroll collectors without a service window: do them one at a time, generate a fresh enrollment code per collector, run the installer on each host.
What's not affected
- Audit history.
- Policy rules.
- Identity overrides.
→ Compromise of just a collector token (not the tenant token) is recoverable without rotation — see Collector is offline's "is the collector's token revoked" section.