Automate Universal Agent Onboarding with Provisioning Tokens
Deploying a fleet of Universal Agents should be fast to automate and safe to hand off, and provisioning tokens make it both. Deploying Universal Agents at scale should be easy to automate and safe to delegate. Provisioning tokens make both possible.
Today we're introducing provisioning tokens for the Universal Agent, a controlled way to register agents through the API. Each token is scoped to a single organization, capped to the number of agents you plan to deploy, and set to expire on a schedule you choose. This lets partner teams and systems integrators deploy agents without portal access or long-lived credentials. Agents register themselves on first boot, and you choose whether they come online automatically or wait for an admin to authorize them.
Bring a whole fleet online without the portal: Create one token, deploy your agents, and let them register and authorize themselves over the API.
- Let partners deploy into a customer org safely: Each token belongs to a single organization and a short time window, so you decide how many agents can join and for how long.
- Script the path from install to running capabilities: Register an agent, authorize it, and turn on capabilities like Flow Proxy and SNMP/ST in one automated run.
- Keep tokens low risk: Set a usage count, give the token a short expiry, and revoke it once your agents are in.
What's changed in the install flow
The Deploy Agent command in Settings » Universal Agents now bundles your company ID and a provisioning token. When the agent starts, it reads those values (K_COMPANY_ID and K_REGISTER_PROVISIONING_TOKEN) and registers on its own. With an auto-approve token, the agent comes online with a status of Up and nobody has to open the portal to authorize it. If you prefer a checkpoint, an approval-required token leaves each agent Not Authorized until an admin clicks Authorize.
What's new
Provisioning tokens are short-lived, organization-scoped credentials you create through the kagent API, or with the generate-provisioning-token.sh helper in the kagent-helm repository. Each token specifies how many agents can register and when the token expires, allowing you to generate credentials just before deployment instead of storing a long-lived secret.
The same token-based flow works whether you install on standalone Linux or Docker or deploy with the kagent-helm chart on Kubernetes. In every case, the agent picks up the token from an environment variable and registers itself, and you can update the token value later without reinstalling the agent.
Once an agent is registered, you can finish onboarding without the portal. Authorize the agent, enable capabilities by name (kproxy, ktraffic, ranger, kdns), and apply runtime configuration, all through the kagent API. US deployments use grpc.api.kentik.com and EU deployments use grpc.api.kentik.eu.
Why it matters
For a proof of value, this removes a major source of friction. A partner or system integrator can deploy agents into a prospect's organization and have them register and start reporting, without waiting for portal access to be granted. The onboarding steps that used to be manual are now scriptable, so the same process covers one Docker host or a Helm-managed fleet.
You also keep control of exposure. Because a token is tied to one organization, capped by a usage count, and set to expire on a schedule you choose, an agent can only ever join the organization that issued its token. There is no way to move a registered agent from one organization into another, so identities stay clean when you stage in your own org before deploying to a customer's.
Get started
Ready to onboard agents without the portal bottleneck? Open Settings » Universal Agents » Deploy Agent to copy an install command that already includes your company ID and a provisioning token. To create tokens inside an automation script, call the kagent provisioning-tokens API directly, or use the generate-provisioning-token.sh helper in the kagent-helm chart if you deploy on Kubernetes. The Universal Agents guide in our Knowledge Base has the full walkthrough for registration, authorization, and capability configuration.