Authorization
Telegraf Controller is in Public Beta
Telegraf Controller is in public beta and will be part of the future Telegraf Enterprise offering. While in beta, Telegraf Controller is not meant for production use. The Telegraf Controller documentation is a work in progress, and we are actively working to improve it. If you have any questions or suggestions, please submit an issue. We welcome any and all contributions.
Telegraf Controller uses session-based authentication for the web UI and token-based authentication for API and Telegraf agent requests. Both mechanisms work together to control who can access the system and what actions they can perform.
User roles
Telegraf Controller enforces a four-tier role hierarchy. Each role inherits the permissions of the roles below it, and higher roles unlock additional administrative capabilities.
| Role | Description |
|---|---|
| Owner | Full system access. Manages users, tokens, and settings. Only one owner exists at a time. Created during initial setup. |
| Administrator | Full system access. Same capabilities as the owner except cannot transfer ownership. |
| Manager | Manages configurations, agents, labels, and reporting rules. Manages own API tokens. Cannot manage users or settings. |
| Viewer | Read-only access to configurations, agents, labels, and reporting rules. Cannot manage tokens, users, or settings. |
Only one owner can exist at a time. The owner account is created during initial setup and cannot be deleted. If you need to change the owner, the current owner must transfer ownership to another user.
To change the owner of your Telegraf Controller instance, see Transfer ownership.
API tokens
API tokens authenticate programmatic API requests and Telegraf agent connections to Telegraf Controller.
Each token is scoped to the user who created it. The token’s effective permissions are restricted to the creating user’s role—a token cannot exceed the permissions of its owner. If a user’s role changes to a role with less permissions, all of that user’s existing tokens are automatically updated with restricted permissions or revoked to match the new role.
Tokens use the tc-apiv1_ prefix, making them easy to identify in configuration
files and scripts.
A token value is shown only once at the time of creation. Store it in a secure location immediately—you cannot retrieve it later.
Endpoint authentication
By default, Telegraf Controller requires authentication for API endpoints. Administrators can selectively require authentication for individual endpoint groups:
- Agents — agent management endpoints
- Configs — configuration management endpoints
- Labels — label management endpoints
- Reporting rules — reporting rule management endpoints
- Heartbeat — agent heartbeat endpoints
When authentication is enabled for an endpoint group, every request to that group must include a valid API token or an active session.
To configure which endpoint groups require authentication, see Manage settings.
Was this page helpful?
Thank you for your feedback!
Support and feedback
Thank you for being part of our community! We welcome and encourage your feedback and bug reports for Telegraf and this documentation. To find support, use the following resources:
Customers with an annual or support contract can contact InfluxData Support.