Mobb Broker Token Rotation

Background

The purpose of the Mobb broker token is to encrypt the tunnel established between your on-premise SCM (GitLab, GitHub or ADO) and the Mobb platform. It acts as an authentication token to secure the communication and ensure only authorized connections can be established through the broker.

By default, the broker token automatically expires after 3 months (92 days) after creation. This policy ensures the security of the tunnel by regularly renewing authentication, reducing the risk of long-term token exposure or misuse.

These capabilities are currently only available via the following APIs. They will be added to the Mobb UI very soon.

Reference APIs to Perform Token Rotation

URL and Authentication

The following data should be set in every call to the API:

Fields

Value

URL

All API calls should go the following URL: https://api.mobb.ai

For single tenant users, your URL should be: https://api-st-<YOUR_SINGLE_TENANT_ID>.mobb.ai

x-mobb-key

Authentication token: an api-key fetched from the setting of a user with appropriate permissions in the organization.

This value should be sent as an HTTP header with each call. To generate a Mobb api-key, refer to the guide here.

Step 1. Check if your token is about to expire using GET api/rest/GetBrokerConfigurations

Request

To find out all current broker connections as well as tokens associated with each of the brokers, you can run the following curl command:

curl https://api.mobb.ai/api/rest/getbrokerconfigurations \
--header 'x-mobb-key: <YOUR_MOBB_API_KEY>' \
--header 'Content-Type: application/json'

Sample response

{
  "broker_host": [
    {
      "id": "1a328baa-9a15-4249-8168-abb3cd26a292",
      "organizationId": "afc837fb-ecb7-4b3f-9eda-127127cca2c2",
      "realDomain": "antony-ubuntu-vm",
      "virtualDomain": "81317cf7-9c01-43c6-80d5-c0fcd38bf8f5",
      "brokerTokens": [
        {
          "tokenName": "new2",
          "createdOn": "2024-10-08T16:43:16.492661+00:00"
        },
        {
          "tokenName": "antony_gitlab_on-prem_token",
          "createdOn": "2025-07-06T17:54:52.73125+00:00"
        }
      ]
    },
    {
      "id": "0a3f2260-a0d0-4b9b-9bc2-91378991a211",
      "organizationId": "afc837fb-ecb7-4b3f-9eda-127127cca2c2",
      "realDomain": "testrestapi.sample.domain",
      "virtualDomain": "b024820c-328c-430a-a6de-5fa5e210d2a8",
      "brokerTokens": [
        {
          "tokenName": "testing_via_restapi_tokenName",
          "createdOn": "2025-06-12T16:53:48.553857+00:00"
        },
        {
          "tokenName": "test_from_postman_delete_later",
          "createdOn": "2025-06-12T17:01:37.12678+00:00"
        },
        {
          "tokenName": "test-create-via-rest-api-2025-07-08",
          "createdOn": "2025-07-08T23:53:01.077461+00:00"
        }
      ]
    }
  ]
}

In the sample response above, we are able to extrapolate the following information about my broker host instances:

The broker that connects to the internal domain gitlab-ubuntu-vm has a broker_host id: 1a328baa-9a15-4249-8168-abb3cd26a292. Note down this ID as we will need it later.
This broker host has a token with the name antony_gitlab_on-prem_token that was created on 2025-07-06, this means that this token will expire on 2025-10-06 (92 days)

Step 2. Generate a new token using POST /api/rest/createbrokerapitoken

Once you obtained the broker_host id from the previous step, you are now ready to generate and set a new broker token. To do so, you can use the following curl command.

Request

curl https://api.mobb.ai/api/rest/createbrokerapitoken \
  --request POST \
  --header 'Content-Type: application/json' \
  --header 'x-mobb-key: <YOUR_MOBB_API_KEY>' \
  --data '{
  "brokerHostId": "<BROKER_HOST_ID>",
  "tokenName": "<ANY_TOKEN_NAME>"
}'

brokerHostId: Use the broker host id obtained in the previous step.
tokenName: You can use any token name here.

Sample response:

{
    "data": {
        "createBrokerApiToken": {
            "token": "lNVAMfhxKSHUQT7Qpar7cd6v8UqOxY"
        }
    }
}

Save the value of "token" output. In this sample reponse, the value would be "lNVAMfhxKSHUQT7Qpar7cd6v8UqOxY"

Step 3. Update your Mobb broker container to use the new broker token value

After you've obtained the new token value, you can now set it in the FRP_BROKER_AUTH_TOKEN environment variable in your Mobb broker as described in the Mobb Broker configuration guide.

This completes this tutorial on how to generate a new Mobb broker token.

PreviousMobb Broker NextSecure storage of Mobb broker in AWS Secrets Manager

Last updated 6 months ago

hashtagBackground

hashtagReference APIs to Perform Token Rotation

hashtagURL and Authentication

hashtagStep 1. Check if your token is about to expire using GET api/rest/GetBrokerConfigurationsarrow-up-right

hashtagRequest

hashtagSample response

hashtagStep 2. Generate a new token using POST /api/rest/createbrokerapitoken

hashtagRequest

hashtagSample response:

hashtagStep 3. Update your Mobb broker container to use the new broker token value

Background

Reference APIs to Perform Token Rotation

URL and Authentication

Step 1. Check if your token is about to expire using GET api/rest/GetBrokerConfigurations

Request

Sample response

Step 2. Generate a new token using POST /api/rest/createbrokerapitoken

Request

Sample response:

Step 3. Update your Mobb broker container to use the new broker token value