Mobb User Docs
Start NowBlogsWatch NowContact Us
  • What is Mobb?
  • What's New with Mobb
  • Supported Fixes
  • Getting Started
    • System Requirements
    • Onboarding Guide
      • Registering a Mobb account
      • Try Mobb now!
      • Running Mobb against your own code
      • Automate Mobb in a CI/CD pipeline
    • Working with the Fix Report
    • Mobb CLI Overview
      • Analyze Mode
      • Scan Mode
      • Add SCM Token Mode
      • Review Mode
      • Common Deployment Scenarios
  • Mobb Dashboard
  • Integrating SAST Findings
    • Checkmarx
      • Generating Checkmarx One JSON Report from CLI
    • Snyk
    • SonarQube
      • Generating a SonarQube SAST Report
    • Fortify
    • CodeQL
    • Semgrep/Opengrep
      • Generating a Semgrep SAST Report
      • Generating an Opengrep SAST Report
  • CI/CD Integrations
    • GitHub Actions
      • GitHub Fixer for CxOne
      • GitHub Fixer for Opengrep
    • GitLab Pipeline
    • Azure DevOps
    • Jenkins
    • CircleCI
    • Bamboo
    • Bitbucket Pipeline
  • Administration
    • User Management
    • Project Settings
    • Access Tokens
    • Organization-Level Fix Policy
    • Integrations Page
    • SAML Single Sign-On Flow
  • More Info
    • Mobb Broker
      • Mobb Broker Token Rotation
      • Secure storage of Mobb broker in AWS Secrets Manager
    • Providing Fix Feedback
    • Frequently Asked Questions (FAQ)
    • Data Protection and Retention
    • Service Level Agreement
  • Fixing Guides
    • SQL Injection
    • Path Traversal
    • Log Forging
    • XSS
    • XXE
    • Server Side Request Forgery
    • HttpOnly Cookie Vulnerabilities
    • Hardcoded Domain in HTML
    • Hardcoded Secrets
    • HTTP Response Splitting Attacks
    • Insecure Cookie Vulnerabilities
    • Insecure Randomness
    • Missing Check against Null
    • Missing Rate Limiting
    • Regex Missing Timeout
    • System Information Leakage
  • Mobb REST API Guide
Powered by GitBook
On this page
  • Background
  • Reference APIs to Perform Token Rotation
  • URL and Authentication
  • Step 1. Check if your token is about to expire (broker_host)
  • Request
  • Sample response
  • Step 2. Generate a new token (createBrokerApiToken)
  • Request
  • Sample response:
  • Step 3. Update your Mobb broker container to use the new broker token value

Was this helpful?

  1. More Info
  2. Mobb Broker

Mobb Broker Token Rotation

Background

The purpose of the Mobb broker token is to encrypt the tunnel established between your on-premise SCM (GitLab, GitHub or ADO) and the Mobb platform. It acts as an authentication token to secure the communication and ensure only authorized connections can be established through the broker.

By default, the broker token automatically expires after 3 months (92 days) after creation. This policy ensures the security of the tunnel by regularly renewing authentication, reducing the risk of long-term token exposure or misuse.

These capabilities are currently only available via the following APIs. They will be added to the Mobb UI very soon.

Reference APIs to Perform Token Rotation

URL and Authentication

The following data should be set in every call to the API:

Fields
Value

URL

All API calls should go the following URL: https://api.mobb.ai/v1/graphql

For single tenant users, your URL should be: https://api-st-<YOUR_SINGLE_TENANT_ID>.mobb.ai/v1/graphql

x-mobb-key

Authentication token: an api-key fetched from the setting of a user with appropriate permissions in the organization.

Step 1. Check if your token is about to expire (broker_host)

Request

To find out all current broker connections as well as tokens associated with each of the brokers, you can run the following curl command:

curl --location 'https://api.mobb.ai/v1/graphql' \
--header 'x-mobb-key: <YOUR_MOBB_API_KEY>' \
--header 'Content-Type: application/json' \
--data '{
    "query": "query getBrokerConfigurations {  
        broker_host {    
            id    
            organizationId    
            realDomain    
            virtualDomain    
            brokerTokens {      
                tokenName      
                createdOn    
            }  
        }
    }",
    "variables": {}
}'

Sample response

{
  "data": {
    "broker_host": [
      {
        "id": "1a328baa-9a15-4249-8168-abb3cd26a292",
        "organizationId": "afc837fb-ecb7-4b3f-9eda-127127cca2c2",
        "realDomain": "antony-ubuntu-vm",
        "virtualDomain": "06e090b9-9d8f-4134-941e-5def0c222288",
        "brokerTokens": [
          {
            "tokenName": "my_token_name",
            "createdOn": "2024-10-03T20:18:12.468448+00:00"
          }
        ]
      }
    ]
  }
}

In the sample response above, we are able to extrapolate the following information about my broker host instances:

  • The broker that connects to the internal domain gitlab-ubuntu-vm has a broker_host id: 1a328baa-9a15-4249-8168-abb3cd26a292. Note down this ID as we will need it later.

  • This broker host has a token with the name my_token_name that was created on 2024-10-03, this means that this token will expire on 2025-01-03 (92 days)

Step 2. Generate a new token (createBrokerApiToken)

Once you obtained the broker_host id from the previous step, you are now ready to generate and set a new broker token. To do so, you can use the following curl command.

Request

curl --location 'https://api.mobb.ai/v1/graphql' \
--header 'x-mobb-key: <YOUR_MOBB_API_KEY>' \
--header 'Content-Type: application/json' \
--data '{
    "query": "mutation createBrokerApiToken($brokerHostId: String!, $tokenName: String!) {
        createBrokerApiToken(brokerHostId: $brokerHostId, tokenName: $tokenName) {
            token
        }
    }",
    "variables": {
        "brokerHostId": "<BROKER_HOST_ID>",
        "tokenName": "<ANY_TOKEN_NAME>"
    }
}'
  • brokerHostId: Use the broker host id obtained in the previous step.

  • tokenName: You can use any token name here.

Sample response:

{
    "data": {
        "createBrokerApiToken": {
            "token": "lNVAMfhxKSHUQT7Qpar7cd6v8UqOxY"
        }
    }
}

Save the value of "token" output. In this sample reponse, the value would be "lNVAMfhxKSHUQT7Qpar7cd6v8UqOxY"

Step 3. Update your Mobb broker container to use the new broker token value

This completes this tutorial on how to generate a new Mobb broker token.

PreviousMobb BrokerNextSecure storage of Mobb broker in AWS Secrets Manager

Last updated 6 months ago

Was this helpful?

This value should be sent as an HTTP header with each call. To generate a Mobb api-key, refer to the guide .

After you've obtained the new token value, you can now set it in the FRP_BROKER_AUTH_TOKEN environment variable in your Mobb broker as described in the .

here
Mobb Broker configuration guide