--- title: Authorization description: Understand how authentication and authorization work in Telegraf Controller, including user roles, API tokens, and endpoint security. url: https://docs.influxdata.com/telegraf/controller/reference/authorization/ estimated_tokens: 1813 product: Telegraf version: v1 --- # Authorization #### Telegraf Controller is in Public Beta Telegraf Controller is in public beta and will be part of the future Telegraf Enterprise offering. While in beta, Telegraf Controller is **not meant for production use**. The Telegraf Controller documentation is a work in progress, and we are actively working to improve it. If you have any questions or suggestions, please [submit an issue](https://github.com/influxdata/docs-v2/issues/new?labels=Telegraf%20Controller). We welcome any and all contributions. Beta expectations - **No configuration or agent limits** While in beta, Telegraf Controller doesn't place any limits on the number of configurations you can store or the number of Telegraf agents you can track. However, upon being generally available, the free distribution of Telegraf Controller will have limits introduced, with the option to increase limits through a Telegraf Enterprise license. - **Potential breaking changes** While in beta, we will do our best to no longer make breaking changes to Telegraf Controller, however, they may be necessary. The majority of changes we make will be additive and non-breaking, and include any necessary migrations. When we do need to make breaking changes, we will do our best to communicate them clearly and in advance to minimize disruption. - **Flexible release schedule** While in beta, we will continue to create new releases of Telegraf Controller, but likely at irregular intervals. We will provide [Telegraf Controller release notes](/telegraf/controller/reference/release-notes/) to make it easy to track updates. Provide beta feedback - Use the **Feedback** feature in the Telegraf Controller UI. - [Join the InfluxDB Community Slack](https://influxdata.com/slack) and post feedback in the **#telegraf-enterprise-alpha** channel. - Post feedback in the [InfluxData Community](https://community.influxdata.com). Join our public channels - [InfluxDB Community Slack *(Preferred)*](https://influxdata.com/slack) - [InfluxData Community](https://community.influxdata.com) - [InfluxDB Subreddit](https://reddit.com/r/influxdb) Telegraf Controller uses session-based authentication for the web UI and token-based authentication for API and Telegraf agent requests. Both mechanisms work together to control who can access the system and what actions they can perform. ## User roles Telegraf Controller enforces a four-tier role hierarchy. Each role inherits the permissions of the roles below it, and higher roles unlock additional administrative capabilities. | Role | Description | | --- | --- | | Owner | Full system access. Manages users, tokens, and settings. Only one owner exists at a time. Created during initial setup. | | Administrator | Full system access. Same capabilities as the owner except cannot transfer ownership. | | Manager | Manages configurations, agents, labels, and reporting rules. Manages own API tokens. Cannot manage users or settings. | | Viewer | Read-only access to configurations, agents, labels, and reporting rules. Cannot manage tokens, users, or settings. | Only one owner can exist at a time. The owner account is created during initial setup and cannot be deleted. If you need to change the owner, the current owner must transfer ownership to another user. To change the owner of your Telegraf Controller instance, see [Transfer ownership](/telegraf/controller/users/transfer-ownership/). ## API tokens API tokens authenticate programmatic API requests and Telegraf agent connections to Telegraf Controller. Each token is scoped to the user who created it. The token’s effective permissions are restricted to the creating user’s role—a token cannot exceed the permissions of its owner. If a user’s role changes to a role with less permissions, all of that user’s existing tokens are automatically updated with restricted permissions or revoked to match the new role. Tokens use the `tc-apiv1_` prefix, making them easy to identify in configuration files and scripts. A token value is shown only once at the time of creation. Store it in a secure location immediately—you cannot retrieve it later. ## Endpoint authentication By default, Telegraf Controller requires authentication for API endpoints. Operators can selectively disable authentication for individual endpoint groups at startup: - **Agents** — agent management endpoints - **Configs** — configuration management endpoints - **Labels** — label management endpoints - **Reporting rules** — reporting rule management endpoints - **Heartbeat** — agent heartbeat endpoints When authentication is enabled for an endpoint group, every request to that group must include a valid API token or an active session. Authentication policy is controlled exclusively by the [`--disable-auth-endpoints` CLI flag or `DISABLED_AUTH_ENDPOINTS` environment variable](/telegraf/controller/reference/config-options/#disable-auth-endpoints), read once at startup and immutable at runtime. To change which endpoint groups skip authentication, update the value and restart Telegraf Controller. #### Related - [Manage users](/telegraf/controller/users/) - [Manage API tokens](/telegraf/controller/tokens/) - [Manage settings](/telegraf/controller/settings/)