Agents
ByteOr Cloud agents are environment-scoped runtime nodes that receive deployments, report status, and upload artifacts.
Bootstrap Model
Agent enrollment is a two-step credential model:
- An environment-scoped enrollment token with
agent:enrollscope is used once to register the node - The control plane returns a per-agent runtime API key that the node keeps for all subsequent operations
Do not reuse the enrollment token after registration succeeds.
Required Environment Variables
Enrollment Flow
Register the agent against the project environment:
If name is omitted, the backend derives one from the host name.
Persist the response values — especially the agent ID and runtime API key.
Runtime Operations
After enrollment, the agent uses the per-agent runtime key for:
- Heartbeat updates — periodic health reporting
- Deployment fetch — receiving deployment targeting information
- Signing-key refresh — maintaining current credential material
- Artifact upload — submitting incident bundles and snapshots
Artifact Upload
The runtime key must include the agent:artifact_upload scope.
Artifact uploads enforce:
- Type validation
- Size validation
- Content-hash deduplication
- Scoped authorization
- Rate limiting (returns
429on excess)
Install Sequence
- Install the agent binary and service unit on the target host
- Set
BYTEOR_API_BASE_URLto the hosted API origin - Use the environment enrollment token during first boot
- Persist the returned agent ID and runtime API key
- Start the agent service
- Verify heartbeats appear in the Cloud control plane
Operational Notes
- Each agent is scoped to exactly one environment
- Enrollment tokens should be short-lived and single-use
- Runtime API keys are per-agent and should be stored securely
- If an agent shows repeated
401or403responses, check key scopes and environment binding
Production Bootstrap
Install on a target host with the one-liner:
What the script does:
- Installs the
byteor-agentbinary and systemd service unit - Calls
POST /api/v1/.../agentswith host metadata (hostname, OS, arch, runtime version, labels) - Stores the returned agent identity and per-agent API key in
/etc/byteor/agent.env - Enables and starts
byteor-agent.service - The agent enters steady-state: heartbeats → deployment fetch → bundle pull → artifact upload
The script is idempotent — if /etc/byteor/agent.env already exists, it reuses the existing identity unless --force is provided.