--- title: Use API tokens description: Use API tokens to authenticate Telegraf agents, heartbeat requests, and external API clients with Telegraf Controller. url: https://docs.influxdata.com/telegraf/controller/tokens/use/ estimated_tokens: 2031 product: Telegraf version: v1 --- # Use API tokens #### Telegraf Controller is in Public Beta Telegraf Controller is in public beta and will be part of the future Telegraf Enterprise offering. While in beta, Telegraf Controller is **not meant for production use**. The Telegraf Controller documentation is a work in progress, and we are actively working to improve it. If you have any questions or suggestions, please [submit an issue](https://github.com/influxdata/docs-v2/issues/new?labels=Telegraf%20Controller). We welcome any and all contributions. Beta expectations - **No configuration or agent limits** While in beta, Telegraf Controller doesn't place any limits on the number of configurations you can store or the number of Telegraf agents you can track. However, upon being generally available, the free distribution of Telegraf Controller will have limits introduced, with the option to increase limits through a Telegraf Enterprise license. - **Potential breaking changes** While in beta, we will do our best to no longer make breaking changes to Telegraf Controller, however, they may be necessary. The majority of changes we make will be additive and non-breaking, and include any necessary migrations. When we do need to make breaking changes, we will do our best to communicate them clearly and in advance to minimize disruption. - **Flexible release schedule** While in beta, we will continue to create new releases of Telegraf Controller, but likely at irregular intervals. We will provide [Telegraf Controller release notes](/telegraf/controller/reference/release-notes/) to make it easy to track updates. Provide beta feedback - Use the **Feedback** feature in the Telegraf Controller UI. - [Join the InfluxDB Community Slack](https://influxdata.com/slack) and post feedback in the **#telegraf-enterprise-alpha** channel. - Post feedback in the [InfluxData Community](https://community.influxdata.com). Join our public channels - [InfluxDB Community Slack *(Preferred)*](https://influxdata.com/slack) - [InfluxData Community](https://community.influxdata.com) - [InfluxDB Subreddit](https://reddit.com/r/influxdb) API tokens authenticate requests to Telegraf Controller. Use tokens to connect Telegraf agents, authorize heartbeat reporting, and integrate external API clients. ## With Telegraf agents Configure your Telegraf agent to include an API token when retrieving configurations and reporting heartbeats to Telegraf Controller. Telegraf agents require API tokens with the following permissions: - **Configs**: Read - **Heartbeat**: Write ### Use the INFLUX\_TOKEN environment variable When retrieving a configuration from a URL, Telegraf only sends an `Authorization` when it detects the `INFLUX_TOKEN` environment variable. To authorize Telegraf to retrieve a configuration from Telegraf Controller, define the `INFLUX_TOKEN` environment variable: ```bash export INFLUX_TOKEN=YOUR_TC_API_TOKEN telegraf \ --config "http://telegraf_controller.example.com/api/configs/xxxxxx/toml ``` Replace `YOUR_TC_API_TOKEN` with your Telegraf Controller API token. ### For heartbeat requests Telegraf uses the [Heartbeat output plugin](/telegraf/v1/output-plugins/heartbeat/) to send heartbeats to Telegraf Controller. Use the `INFLUX_TOKEN` environment variable to define the `token` option in your heartbeat plugin configuration. Telegraf uses the environment variable value defined when starting Telegraf. ```toml [[outputs.heartbeat]] url = "http://telegraf_controller.example.com/agents/heartbeat" instance_id = "&{agent_id}" interval = "1m" include = ["hostname", "statistics", "configs"] token = "${INFLUX_TOKEN}" ``` When authentication is required for the heartbeat endpoint, agents must include a valid token with each heartbeat request. If a heartbeat request is missing a token or includes an invalid token, Telegraf Controller rejects the request and the agent’s status is not updated. ## With external API clients Include the token in the `Authorization` header when making API requests to Telegraf Controller: ``` Authorization: Bearer tc-apiv1_ ``` The token’s permissions determine which API endpoints and operations are accessible. Requests made with a token that lacks the required permissions are rejected with an authorization error. If authentication is disabled for an endpoint group in **Settings**, requests to those endpoints do not require a token. See [Settings](/telegraf/controller/settings/#require-authentication-per-endpoint) for details on configuring authentication requirements per endpoint. #### Related - [Authorization](/telegraf/controller/reference/authorization/)