Skip to content

Agent channel service

This channel plugin manages communications with execution environments that are accessed via agents.


This module has a configuration file (agentchannel.yaml by default) that describes the host, port, ssl_context, trusted_authorities, and logfile to use. It can also enable insecure logins.

If no configuration file is found it will default to the following values:

kind: ServiceConfig
current-context: default
- context:
    port: 443
    ssl_context: adhoc
      token: invalid
  name: default

ssl_context is either adhoc, a list of two items (certificate file path and private key file path), or disabled (not recommended, will switch to plain HTTP).

A context can also contain a trusted_authorities, which is a list of public key files, used for token validation.

A context can also allow for insecure (token-less) logins, if enable_insecure_login is set to true (by default, insecure logins are disabled).

Insecure logins, if enabled, are only allowed from a given address ( by default). This can be overridden by specifying insecure_bind_address.


python3 -m opentf.plugins.agentchannel [--context context] [--config configfile]


This module exposes the following endpoints:

  • /inbox (POST)
  • /agents (GET, POST)
  • /agents/{agent_id} (DELETE, GET, POST)
  • /agents/{agent_id}/files/{file_id} (GET, POST, PUT)

Whenever calling those endpoints, a signed token must be specified via the Authorization header.

This header will be of form:

Authorization: Bearer xxxxxxxx

It must be signed with one of the trusted authorities specified in the current context.

The first endpoint, /inbox, is used to receive publications sent by the event bus. The other endpoints are used by agents and by management tools such as opentf-ctl.