Skip to content

docs(controller): cross-link user sign-in and API token sections #7324

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sanderson merged 1 commit into from
Jun 12, 2026
Merged

docs(controller): cross-link user sign-in and API token sections #7324

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 7 additions & 3 deletions content/telegraf/controller/authentication/_index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,10 @@ cascade:
- /telegraf/controller/settings/
---

This section describes how users sign in to {{% product-name %}}.
To authenticate API requests and Telegraf agent connections, see
[Manage API tokens](/telegraf/controller/tokens/).

{{% product-name %}} supports three authentication providers that you can run
individually or together:

Expand Down Expand Up @@ -99,8 +103,8 @@ decide whether to create a {{% product-name %}} account for them.
| `domain_restricted` | A pending invite admits the user; otherwise, the email must end with an allowed domain. |
| `auto_create` | A pending invite admits the user; otherwise, any user the provider authenticates is auto-created. |

Each external provider has its own provisioning strategy. For example, you can run LDAP
in `invite_only` while OIDC is in `auto_create`.
Each external provider has its own provisioning strategy. For example, you can run LDAP
in `invite_only` while OIDC is in `auto_create`.

## Group-to-role mapping

Expand All @@ -112,7 +116,7 @@ mappings on the **Settings** page as rows of `(provider, group name, role)`.
- If a user matches no mapping, the provider's **default role** is assigned
or sign-in is rejected, depending on the provider's
**On no group match** setting.
- The **Owner** role is never assigned through a mapping. You can [Transfer ownership](/telegraf/controller/users/transfer-ownership/) instead.
- The **Owner** role is never assigned through a mapping. You can [Transfer ownership](/telegraf/controller/users/transfer-ownership/) instead.

## Owner account behavior

Expand Down
4 changes: 4 additions & 0 deletions content/telegraf/controller/tokens/_index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,10 @@ cascade:
API tokens authenticate requests to the {{% product-name %}} API and Telegraf agent connections.
Use tokens to authorize Telegraf agents, heartbeat requests, and external API clients.

API tokens are separate from user sign-in.
To configure how users sign in to {{% product-name %}}, see
[Authentication](/telegraf/controller/authentication/).

## Token format

All API tokens use the `tc-apiv1_` prefix, making them easy to identify in
Expand Down
Loading