Skip to main content

Agent Access Tokens

To connect to the Lacework application, Lacework agents require an agent access token. Lacework also provides scripts and configuration files to facilitate deployment, which includes the token.

Agent Access Tokens

You can generate new agent tokens and deactivate existing tokens. All Lacework agents using a deactivated token can not communicate with Lacework and must be updated with an active token.


You can use the agent access token name to logically separate your deployments, for example, by environment types (e.g., QA or Dev) or system types (e.g., CentOS or RHEL).

  1. Log in to the Lacework Console with a Lacework user that has administrative privileges.
  2. Go to Settings > Configuration > Agents.
  3. Click + Add New.
  4. Enter a unique logical name for the agent token.
  5. Enter a description.
  6. Click Next.
  7. Follow the steps in the next section to install the Lacework agent.

Treat agent access tokens as secrets; do not publish them. A token uniquely identifies a Lacework customer. If you suspect your agent access token has been publicly exposed or compromised, generate a new token from the Lacework Console. You can either add the new token to the config.json file or reinstall the agent on all machines that use the old token. When complete, the old token can safely be disabled without interrupting Lacework services.

You can optionally create an agent token programmatically. For more information, see the Token API. To access the Lacework API, see Lacework API.

Install the Lacework Agent

Lacework automatically generates an agent token for your account. You can use the same token for all agents. You can also add new tokens as described in Agent Access Tokens.

Lacework-provided scripts and configuration files are token-specific and are listed in the Install options for each agent token.

  1. Click the desired installation method.
  2. Either download the token-specific script or copy the URL to use later.
  3. Click Save.