Setup Keys

Provision devices headlessly.

Issue a token. Drop it into a curl command, a Terraform module, or an Ansible playbook. The device joins your mesh, picks up its policies, and starts serving — no browser, no human, no manual click.

  • One-line curl installer with embedded token
  • Set expiry, usage limits, default group per key
  • Reusable (fleets) or ephemeral (CI runners)
Get early access Pair with the API →
ci-ephemeral-runners

Default group · ci-runners

Reusable

Expires

in 28d

Used

12 / 50

Created by

ali@

Install on any host

# One line, any Linux / macOS host
$ curl -fsSL get.meshr.to | \
     sudo MESHR_KEY=msk_ab12...c9f3 bash
 Joined as runner-ci-04 (10.0.0.41)

Recent uses

14:32 · runner-ci-04ok
14:28 · runner-ci-03ok
14:21 · runner-ci-02ok
Headless
Audit-tracked
Workflows

Built for the workflows you already have.

Stop SSH-ing into every new box to run a setup command. Bake the key in, boot the box, done.

1

Terraform & Ansible

Inject the setup key as a variable. Every EC2 / VM / droplet your IaC provisions joins the mesh automatically on first boot.

user_data = "curl get.meshr.to | MESHR_KEY=${var.meshr_key} sh"
2

CI runners

Spin an ephemeral CI runner per job. Single-use key, 10-minute TTL — the runner joins, runs, terminates.

docker run -e MESHR_KEY=msk_... ghcr.io/meshr/runner
3

Edge & air-gapped

Pre-bake the key into a Raspberry Pi image. Ship the unit. It calls home over LTE and joins the mesh — zero on-site config.

echo MESHR_KEY=msk_... > /etc/meshr.env
Capabilities

Tokens that behave themselves.

Every key carries its own guardrails — expiry, usage caps, a default group, and a full audit trail.

Expiry + usage limits

Every key has a TTL and an optional usage cap. A leaked key automatically becomes useless once the timer or the counter runs out.

TTL from minutes to a year
Hard cap on number of uses
Auto-revoke on excess failure rate
Manual revoke from UI or API

Reusable or single-use

Reusable keys for steady-state fleets (a long-lived edge cluster). Ephemeral keys for one-shot jobs (a CI runner that lives for 10 minutes).

Reusable

Fleets, IaC-provisioned VMs, edge devices

Ephemeral

CI runners, scratch debug VMs, one-off jobs

Default group baked into the key

Pick a default group at key creation. Every device that uses the key auto-joins that group — and inherits the policies that already exist there.

# Key tagged with default-group=ci-runners
$ curl ... | MESHR_KEY=msk_... bash
 runner-ci-04 joined
 auto-added to group: ci-runners
 policies applied: 4

Every use, recorded

Each device that joined via a setup key is tagged with the key ID. When a key gets compromised, you know exactly which devices to revoke — and Audit Logs show every use.

Per-key list of registered devices
Source IP + timestamp on each use
Bulk revoke devices that used a key
Webhook on every successful enrollment

One token, a whole fleet on the mesh.

Free for every feature while we're in beta. Mint a setup key and provision your first headless device in minutes.

Get early access See pricing →