-
Notifications
You must be signed in to change notification settings - Fork 33
docs: org-level-ingestion-tokens — openobserve PR #11691 #433
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file added
BIN
+73.6 KB
...stration/identity-and-access-management/images/org-level-ingestion-tokens-1.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+75.7 KB
...stration/identity-and-access-management/images/org-level-ingestion-tokens-2.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+86 KB
...stration/identity-and-access-management/images/org-level-ingestion-tokens-3.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+134 KB
...stration/identity-and-access-management/images/org-level-ingestion-tokens-4.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
81 changes: 81 additions & 0 deletions
81
...guide/account-administration/identity-and-access-management/ingestion-tokens.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,81 @@ | ||
| --- | ||
| description: >- | ||
| Manage organization-level ingestion tokens to securely send logs, metrics, and traces into OpenObserve without tying credentials to individual users. | ||
| --- | ||
| This guide explains how to create, manage, and use organization-level ingestion tokens. These tokens decouple ingestion credentials from individual user accounts, ensuring your data pipelines keep working even when users leave the organization. | ||
|
|
||
| ## Overview | ||
|
|
||
| Organization-level ingestion tokens provide a stable, org-scoped credential for sending data into OpenObserve. Unlike user-bound tokens, org-level tokens: | ||
|
|
||
| - Are **not tied to a specific user** — they survive user removal or role changes. | ||
| - Can **only be used on ingestion endpoints** — they are rejected on any other API path. | ||
| - Are prefixed with `o2oi_` for fast identification. | ||
| - Support multiple named tokens per organization, each independently enabled or disabled. | ||
|
|
||
| A **default** token is created automatically when a new organization is provisioned. | ||
|
|
||
| ## Managing ingestion tokens | ||
|
|
||
| Navigate to **IAM > Ingestion Tokens** to view and manage org-level tokens. | ||
|
|
||
|  | ||
|
|
||
| The page lists all tokens for the current organization with these columns: | ||
|
|
||
| - **Name** — the token name you assign at creation. | ||
| - **Token** — a masked view of the token value, with a **Copy** button. | ||
| - **Created by** — the user who created the token. | ||
| - **Actions** — an enable/disable toggle. Disabled tokens cannot be used for ingestion. | ||
|
|
||
| ### Create a token | ||
|
|
||
| 1. On the **Ingestion Tokens** page, click **Create New Token**. | ||
| 2. In the dialog, enter: | ||
| - **Name** (required) — alphanumeric characters, hyphens (`-`), and underscores (`_`) only. Maximum 256 characters. | ||
| - **Description** (optional) — free-text notes about the token's purpose. | ||
| 3. Click **Create**. | ||
|
|
||
|  | ||
|
|
||
| The full token value is displayed once immediately after creation. **Copy it now** — it will not be shown again. | ||
|
|
||
|  | ||
|
|
||
| ### Enable or disable a token | ||
|
|
||
| Click the **pause**/**play** toggle in the **Actions** column to disable or enable a token. Disabled tokens are immediately rejected on ingestion endpoints. Enabling a token restores its functionality. | ||
|
|
||
| ## Using tokens on the Ingestion page | ||
|
|
||
| When you visit the **Ingestion** page, a token selector dropdown appears above the curl examples. The dropdown lists all enabled org-level ingestion tokens for the current organization. Select a token to populate the curl commands with that credential. | ||
|
|
||
|  | ||
|
|
||
| Click **Manage Tokens** next to the selector to jump directly to the **IAM > Ingestion Tokens** page. | ||
|
|
||
| ### Sending data with an org token | ||
|
|
||
| Use the token as the password in your ingestion requests. For example, with curl: | ||
|
|
||
| ```bash | ||
| curl -i https://your-instance/api/default/_json \ | ||
| -u "org_identifier:o2oi_xxxx" \ | ||
| -d '[{"timestamp": "2026-06-24T12:00:00Z", "level": "info", "message": "hello"}]' | ||
| ``` | ||
|
|
||
| The username should be your organization identifier, and the password is the token value (prefixed with `o2oi_`). | ||
|
|
||
| ## The default token | ||
|
|
||
| Every organization gets a default ingestion token named `default`, created automatically when the organization is provisioned. The default token: | ||
|
|
||
| - Appears at the top of the token list. | ||
| - Works like any other token — you can enable, disable, or rotate it. | ||
| - Is returned by the passcode API endpoint (`GET /{org_id}/passcode`), replacing the old user-bound token. | ||
|
|
||
| ## Permissions | ||
|
|
||
| - **List tokens**: Any authenticated user in the organization can view the token list. | ||
| - **Create, enable, disable**: Requires **Admin** or **Root** role. | ||
| - **Token values are masked in the list** — only the creator sees the full value once at creation time. | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the username should not be the org_identifier, instead it should be an user name. The username is used in the ingestion usage reporting.