Skip to content
Riptides Docs

JoinToken

A JoinToken defines a pre-shared secret token that daemons can use to authenticate with the Riptides control plane. JoinTokens provide a simple onboarding mechanism suitable for initial setup, development environments, or scenarios where platform-native identity (AWS IAM, GCP identity) is not available.

  • API Group: auth.riptides.io
  • Version: v1alpha1
  • Kind: JoinToken
  • Plural: jointokens

Spec

Section titled “Spec”

token

Section titled “token”
  • Type: string
  • Required: Yes

The secret token value. Daemons must present this exact value to authenticate. Treat this as a credential — avoid committing it to version control.

workloadID

Section titled “workloadID”
  • Type: string
  • Required: No

The workload identity to assign to daemons that authenticate with this token. If not set, the daemon’s workload ID is derived from the associated Verifier’s workloadIDTemplate.

expireAt

Section titled “expireAt”
  • Type: string (RFC 3339 date-time)
  • Required: No

Expiration timestamp for the token. After this time, the token is no longer accepted. If omitted, the token does not expire automatically.

Example

Section titled “Example”
apiVersion: auth.riptides.io/v1alpha1
kind: JoinToken
metadata:
  name: dev-onboarding-token
  namespace: riptides-system
spec:
  token: "my-secret-join-token-value"
  workloadID: riptides/daemon/dev/onboarding-node
  expireAt: "2026-06-01T00:00:00Z"
Section titled “Related Resources”
  • Verifier — a Verifier with joinToken type processes these tokens
  • Claim — created when an daemon presents a join token
  • Daemon — created after successful authentication