Token Authentication

Supported version

7.0.0+

Why do we need token authentication after TLS?

TLS is about transport security, ensuring a trusted network. On the other hand, token authentication is about monitoring whether application data can be trusted.

Token

In the current version, a token is considered a simple string.

Set Token

Set token in agent.config file

# Authentication active is based on backend setting, see application.yml for more details.
agent.authentication = ${SW_AGENT_AUTHENTICATION:xxxx}

Set token in application.yml file

······
receiver-sharing-server:
  default:
    authentication: ${SW_AUTHENTICATION:""}
······

Authentication failure

The Skywalking OAP verifies every request from the agent and only allows requests whose token matches the one configured in application.yml to pass through.

If the token does not match, you will see the following log in the agent:

org.apache.skywalking.apm.dependencies.io.grpc.StatusRuntimeException: PERMISSION_DENIED

FAQ

Can I use token authentication instead of TLS?

No, you shouldn’t. Of course, it’s technically possible, but token and TLS are used for untrusted network environments. In these circumstances, TLS has a higher priority. Tokens can be trusted only under TLS protection, and they can be easily stolen if sent through a non-TLS network.

Do you support other authentication mechanisms, such as ak/sk?

Not for now. But we welcome contributions to this feature.

Edit this page

SkyWalking