First start
Registration
The first time the agent runs with a team key, it performs a one-time bootstrap:
wakora --key <YOUR_TEAM_KEY>
The agent sends its host identity (machine id, a hardware fingerprint, and the hostname as a display label) to the server over a pinned HTTPS request. The server returns a per-server key and a UUID (the server id). From this point on:
- the per-server key, not the team key, authenticates the WebSocket,
- the team key is discarded and never written to disk,
- the UUID is the stable identity of this host, independent of its hostname.
The team key is a shared bootstrap credential for a whole team. It only ever mints per-server keys. A stolen host therefore yields only its own short-lived, revocable key, not the powerful team key.
Key rotation
The per-server key rotates every 7 days while the agent is online, over the already authenticated connection, with a short overlap so there is never a lockout. If a host was offline past the rotation window, its current key stays valid until it reconnects, then rotates immediately.
Installing the service before the key
If you set up the service before registering (common with configuration management), the
agent does not crash-loop. It logs that it has no identity yet, idles, and checks for the
identity file every 15 seconds. The moment wakora --key writes the identity, the agent
picks it up and starts, no restart needed.
Confirming it connected
The host should appear in your console within about a minute. On the host you can confirm directly:
tail -f /var/log/wakora/agent.log
You are looking for the heartbeat and, shortly after, lines like definitions received: N
followed by service <name>: matched, K probe(s) activated as the server pushes the
catalog and the agent activates the probes that match this host.
Where identity lives
Identity is stored under the config directory:
- Linux and macOS:
/etc/wakora/identity - Windows:
%ProgramData%\Wakora
The file holds the UUID and the per-server key as ciphertext, encrypted with a key bound to this machine. Copying it to another host does not work: it will not decrypt there. See Security model for the details.