Token Renewal¶

Agent JWT are valid for 365 days from the moment they are issued. There is no automatic renewal, tokens expire silently and the agent stops sending data.

When to renew¶

Set a reminder to renew agent tokens before their yearly expiry. You can find the token expiry date in the Alloy configuration file on the agent host, it is written as a comment:

// Token expires: 2026-03-15 09:41:22 UTC

If an agent has already stopped sending data due to an expired token, renewal is the same procedure. The agent config command always issues a fresh 365-day token regardless of whether the current one has expired.

Renew a token¶

Step 1 - Download a fresh config¶

finchctl agent config \
  --agent.rid rid:finch:8d134b24c2541730:agent:59ddbb5d-73b2-45bf-95d3-5520dcf37618 \
  --agent.config web-01-renewed.cfg \
  finch.example.com

agent config asks the Finch service to generate a new 365-day JWT for the agent's existing RID and writes an updated Alloy configuration file locally.

Step 2 - Deploy the new config¶

finchctl agent deploy \
  --agent.config web-01-renewed.cfg \
  root@172.17.0.4

Alloy restarts with the new token and reconnects immediately. Any telemetry buffered in the WAL during the gap is flushed after reconnection.

Renew all tokens after a secret rotation¶

If service rotate-secret was run (global JWT invalidation), every agent needs a new token. The same two-step procedure applies for each agent, see Rotate the Signing Secret for the full workflow.