Enrollment Tokens

Enrollment tokens are network-scoped registration keys that let you add devices to your Rabtly network without requiring each device to go through the browser login flow. Think of them as invite links for machines — you create a token, paste it on the target device, and it joins your network.

How they work

An enrollment token is a secret string prefixed with enrt_. When a device runs rabtly up --token enrt_…, the control plane verifies the token and registers the device into the network that token belongs to. The device gets a private IP, joins the default group (or a group you specify with --group), and appears in your dashboard immediately.

Once a device is registered, the token’s job is done — it is not used again by that device. The device authenticates with its own node key from that point on.

What enrollment tokens control

What they do	What they don’t do
Register a device into a specific network	Grant ongoing permissions or roles
Track which devices were enrolled through each token	Assign ACL policies or special access
Record who created the token and when	Give the device access to other networks

Revoking a token stops new devices from enrolling with it. Devices that were already enrolled are unaffected — they stay connected and keep their IP address.

Creating a token

From the dashboard

Open enrollment settings

Go to Network Settings → Enrollment Tokens in the dashboard.

Click “Create token”

Give the token a descriptive label — for example staging-servers or dev-laptops. This helps you identify the token later.

Set optional constraints

Expiration — choose a preset (1 day, 7 days, 30 days, etc.) or set a custom date. After this date, the token can no longer be used. Leave blank for no expiry.
Max uses — limit how many devices can enroll with this token. Leave blank for unlimited.

Copy the join command

After creation, the dashboard shows a ready-to-run command:


sudo rabtly up \
  --token enrt_... \
  --control https://api.rabtly.cloud

The plaintext token is shown once — it is never stored and cannot be retrieved later. Copy it now. If you lose it, revoke the token and create a new one.

From the CLI

When you run rabtly login and complete the browser login flow, the CLI automatically mints a single-use enrollment token behind the scenes. This token is what the daemon uses to register the device. You don’t need to manage it — the CLI handles the full lifecycle.

Using a token to enroll a device

macOS / Linux


sudo rabtly up --token enrt_...

On success you’ll see:


  ✓  Connected
  Device  my-server
  IP      100.64.0.5

You can also combine install and connect in one command:


curl -fsSL https://dl.rabtly.cloud/install.sh | sh -s -- \
  --token enrt_...

Enrolling into a specific group

By default, devices join the default group. To place a device into a different group at registration time:


sudo rabtly up --token enrt_... --group servers

If the group doesn’t exist yet, it is created automatically.

Managing tokens

Viewing tokens

In Network Settings → Enrollment Tokens you can see all tokens for your network. Each token shows:

Label — the name you gave it
Status — Active, Expired, or Revoked
Use count — how many devices have enrolled with this token
Created by — the email of the admin who created it
Linked devices — expand a token row to see which devices were enrolled through it, with their online status and OS

You can filter by status, search by label or creator email, and sort by date, usage, or label.

Revoking a token

Click the trash icon next to any active token to revoke it. Revocation is immediate — no new devices can use this token. Already-enrolled devices are not affected.

Revocation is permanent — a revoked token cannot be reactivated. Create a new token instead.

What happens when a member is removed

When you remove a member from your network, any enrollment tokens they created are automatically revoked. Devices they enrolled are also removed as part of the cascade.

Token lifecycle at a glance


Create token (dashboard or CLI login)
       │
       ▼
  Token is ACTIVE
  ┌──────────────┐
  │  enrt_abc123  │──── device runs `rabtly up --token ...`
  │               │     → device registered, use_count +1
  │  use_count: 3 │     → device linked to this token
  └──────┬───────┘
         │
         ▼  one of:
  ┌──────────────────────────────────┐
  │  Expired (past expiry date)       │
  │  Exhausted (use_count ≥ max_uses) │
  │  Revoked (admin clicked revoke)   │
  └──────────────────────────────────┘
         │
         ▼
  Token is INACTIVE — new enrollments blocked
  (existing devices unaffected)

Permissions

Action	Who can do it
Create a token	Network Owner or Admin
View all tokens	Network Owner or Admin
Revoke a token	Network Owner or Admin
Use a token to enroll	Anyone with the plaintext token

The CLI’s self-enrollment endpoint (rabtly login) is available to any authenticated network member — it mints a short-lived token scoped to their own device without requiring admin permissions.

Best practices

One token per use case — create separate tokens for different teams, environments, or device types (e.g. prod-servers, dev-laptops, ci-runners). This makes it easy to revoke access for one group without affecting others.
Set an expiry — tokens that live forever are a risk. Use 30 or 90 days for general-purpose tokens, and short-lived (1-day) tokens for one-off setups.
Set a max-use limit for single devices — if a token is meant for one specific server, set max uses to 1. Once that device is enrolled, the token is automatically exhausted.
Revoke tokens you no longer need — the dashboard shows which tokens are active and how many devices they’ve enrolled. Clean up regularly.
Never commit tokens to version control — treat enrt_ tokens like passwords. Use environment variables or secrets managers in CI/CD pipelines.

Add your first device →Access control →CLI reference →