By default, any node that knows your group's API key can register itself. For development and internal use, that is convenient. For production deployments where third parties install nodes, it is a security risk.
Protected Groups solve this. When you enable protection on a group, new nodes can only register using a one-time install key. Each key works exactly once. After a node uses it to register, the key is consumed and cannot be reused. If someone intercepts or shares the key, it is worthless — it has already been used.
The Workflow
The process is straightforward:
- You generate a one-time install key in the dashboard
- You send the install command (containing the key) to whoever needs to deploy the node — a field technician, a customer, a partner
- They run the command — one line in a terminal or PowerShell
- The node registers, the key expires
- You see the new node appear in your dashboard
Scenario: Customer Self-Installation
You sell a service that requires a node at each customer's location. Traditionally, this means either shipping pre-configured hardware (expensive, slow) or sending a technician to install software (even more expensive).
With protected groups and one-time install keys, you generate a unique install link for each customer. You email them the link with simple instructions: "Paste this into a terminal on any Linux machine with Docker, or into PowerShell on Windows." The customer runs the command. The node joins your fleet. The key is consumed.
The customer does not need technical expertise. They do not need to know what Docker is or how tunneling works. They paste one line, and the node is online. You see it in your dashboard within two minutes.
If a customer shares their install link with someone else — accidentally or intentionally — it does not matter. The key is already used. No unauthorized device can join your group.
Preventing Unauthorized Registration
Without a valid one-time key, no device can join a protected group — even if someone knows your API endpoint or subdomain. Every node in a protected group was explicitly authorized by you.
For businesses that resell connectivity or deploy nodes at customer locations, protected groups are essential. They give you control over who joins your fleet while keeping the installation process simple enough for anyone to execute. One command, one key, one node.