Setup Tokens
Last updated on May 21, 2026
A setup token is a one-time credential that lets the CLI register as a Station without an interactive browser login. The dashboard issues the token, the install script redeems it, and the CLI saves the station-scoped API key and starts the daemon. You reach for setup tokens when you need headless installs and provisioning scripts.
Lifecycle
Setup tokens are deliberately short-lived and narrowly scoped, so a leaked token has limited blast radius.
| Property | Value |
|---|---|
| TTL | 1 hour from issue |
| Uses | Single-use (consumed on redeem) |
| Scope | One station, station-scoped key only |
| Issued by | Dashboard: Stations -> <Station> -> Install |
| Redeemed by | tofupilot login --token <TOKEN> |
The token is a 64-character opaque string scoped to a single station. Once redeemed, it is marked consumed and rejected on any further use.
Issue a token
You issue a token from the station's detail page in the dashboard, and the dashboard hands you a ready-to-paste install command.
- In the dashboard, open Stations and either pick an existing station or create a new one with New Station.
- Click Install command on the station detail page.
- The dashboard generates a fresh token on the fly and copies the full install command to your clipboard:
curl -fsSL tofupilot.sh/install | sh -s -- --token <SETUP_TOKEN>The payload includes --url automatically for self-hosted, while the SaaS domain (tofupilot.app) leaves it out.
Redeem on the test machine
You run the install command on the station hardware, and the install script downloads the CLI before invoking the redeem flow.
tofupilot login --token <SETUP_TOKEN>The CLI sends the token along with a local hardware fingerprint (hostname, OS, platform, MAC, CLI version). The server validates the token, consumes it, mints an API key scoped to the station, and returns credentials the CLI saves at ~/.tofupilot/credentials.json.
What the token grants
The redeemed key is a station API key, not a user key, so its permissions are narrowly scoped. It can:
- Upload Runs for procedures linked to this station.
- Pull Deployments targeted at this station.
- Read its own station record via
stations.get_current. - Create procedure versions for linked procedures.
It cannot manage users, mutate other stations, or read organization-wide data. For the full station permission matrix, see access roles.
Setup tokens are single-use and time-boxed. If the install script fails halfway, generate a fresh token rather than retrying with the consumed one. The CLI prints a hint pointing back to the Setup page when it hits a consumed or expired token.
Rotation
To rotate, you delete the station's installation from the dashboard and re-run the install command on the test machine. That issues a new token, redeems it, and overwrites local credentials, so the old API key stops working immediately.
How is this guide?
API Keys
Learn how to authenticate scripts, factory stations, and CI runs with TofuPilot API keys, including how user and station keys differ in scope.
TofuPilot AIPreview
Ask questions about your test data, run autonomous root cause analysis, and get notified the moment yield, volume, or sample behavior drifts.