Mobb Broker Token Rotation

Background

The purpose of the Mobb broker token is to encrypt the tunnel established between your on-premise SCM (GitLab, GitHub or ADO) and the Mobb platform. It acts as an authentication token to secure the communication and ensure only authorized connections can be established through the broker.

By default, the broker token automatically expires after 3 months (92 days) after creation. This policy ensures the security of the tunnel by regularly renewing authentication, reducing the risk of long-term token exposure or misuse.

Reference APIs to Perform Token Rotation

URL and Authentication

The following data should be set in every call to the API:

Step 1. Check if your token is about to expire (broker_host)

Request

To find out all current broker connections as well as tokens associated with each of the brokers, you can run the following curl command:

curl --location 'https://api.mobb.ai/v1/graphql' \
--header 'x-mobb-key: <YOUR_MOBB_API_KEY>' \
--header 'Content-Type: application/json' \
--data '{
    "query": "query getBrokerConfigurations {  
        broker_host {    
            id    
            organizationId    
            realDomain    
            virtualDomain    
            brokerTokens {      
                tokenName      
                createdOn    
            }  
        }
    }",
    "variables": {}
}'

Sample response

{
  "data": {
    "broker_host": [
      {
        "id": "1a328baa-9a15-4249-8168-abb3cd26a292",
        "organizationId": "afc837fb-ecb7-4b3f-9eda-127127cca2c2",
        "realDomain": "antony-ubuntu-vm",
        "virtualDomain": "06e090b9-9d8f-4134-941e-5def0c222288",
        "brokerTokens": [
          {
            "tokenName": "my_token_name",
            "createdOn": "2024-10-03T20:18:12.468448+00:00"
          }
        ]
      }
    ]
  }
}

In the sample response above, we are able to extrapolate the following information about my broker host instances:

• The broker that connects to the internal domain gitlab-ubuntu-vm has a broker_host id: 1a328baa-9a15-4249-8168-abb3cd26a292. Note down this ID as we will need it later.

• This broker host has a token with the name my_token_name that was created on 2024-10-03, this means that this token will expire on 2025-01-03 (92 days)

Step 2. Generate a new token (createBrokerApiToken)

Once you obtained the broker_host id from the previous step, you are now ready to generate and set a new broker token. To do so, you can use the following curl command.

Request

curl --location 'https://api.mobb.ai/v1/graphql' \
--header 'x-mobb-key: <YOUR_MOBB_API_KEY>' \
--header 'Content-Type: application/json' \
--data '{
    "query": "mutation createBrokerApiToken($brokerHostId: String!, $tokenName: String!) {
        createBrokerApiToken(brokerHostId: $brokerHostId, tokenName: $tokenName) {
            token
        }
    }",
    "variables": {
        "brokerHostId": "<BROKER_HOST_ID>",
        "tokenName": "<ANY_TOKEN_NAME>"
    }
}'

• brokerHostId: Use the broker host id obtained in the previous step.

• tokenName: You can use any token name here.

Sample response:

{
    "data": {
        "createBrokerApiToken": {
            "token": "lNVAMfhxKSHUQT7Qpar7cd6v8UqOxY"
        }
    }
}

Save the value of "token" output. In this sample reponse, the value would be "lNVAMfhxKSHUQT7Qpar7cd6v8UqOxY"

Step 3. Update your Mobb broker container to use the new broker token value

After you've obtained the new token value, you can now set it in the FRP_BROKER_AUTH_TOKEN environment variable in your Mobb broker as described in the Mobb Broker configuration guide.

This completes this tutorial on how to generate a new Mobb broker token.