How to remove dead fronted tokens

zrok
1

In the case zrok agent suddenly dies for some reasons (example: a power line cut-off) the fronted token remains alive in the zrok database.

So I end up with a lot of icons in API Console linked to the same ziti identity id (z_id), and having the same bind local address:port.

There is the delete button. So I can release these dead tokens manually but I need to know which is active. With 9 access tokens such a operation is tricky. So I let them alone. But they fill up the console with the junk. I have several users with the same issue.

select id, environment_id, token, z_id, created_at, updated_at, deleted, bind_address from frontends where z_id = 'F4QGPJFyfp' and deleted='f';
 id  | environment_id |    token     |    z_id    |          created_at           |          updated_at           | deleted |  bind_address  
-----+----------------+--------------+------------+-------------------------------+-------------------------------+---------+----------------
 495 |             57 | DsJt6TcjckMh | F4QGPJFyfp | 2025-05-30 05:12:23.619696+00 | 2025-05-30 05:12:24.551853+00 | f       | 127.0.0.1:9443
 496 |             57 | wJYIKMGpSTny | F4QGPJFyfp | 2025-05-30 05:12:27.631044+00 | 2025-05-30 05:12:28.61566+00  | f       | 127.0.0.1:9191
 497 |             57 | aVjaQoBZqbjT | F4QGPJFyfp | 2025-05-30 14:37:19.632267+00 | 2025-05-30 14:37:21.12727+00  | f       | 127.0.0.1:8181
 498 |             57 | VOtgK58o7NOO | F4QGPJFyfp | 2025-05-30 14:37:24.225439+00 | 2025-05-30 14:37:25.195018+00 | f       | 127.0.0.1:9443
 499 |             57 | XCLrtJdnKTfj | F4QGPJFyfp | 2025-05-30 14:37:28.427756+00 | 2025-05-30 14:37:29.372851+00 | f       | 127.0.0.1:9191
 500 |             57 | 3NefSbuxP9nX | F4QGPJFyfp | 2025-05-30 15:46:39.720226+00 | 2025-05-30 15:46:40.875142+00 | f       | 127.0.0.1:8181
 501 |             57 | BhEXhJ6aqrGW | F4QGPJFyfp | 2025-05-30 15:46:42.252246+00 | 2025-05-30 15:46:43.173679+00 | f       | 127.0.0.1:9443
 502 |             57 | bzK7LwkEnCPo | F4QGPJFyfp | 2025-05-30 15:46:44.548646+00 | 2025-05-30 15:46:45.463368+00 | f       | 127.0.0.1:9191
 494 |             57 | 8MbLErIG6cZz | F4QGPJFyfp | 2025-05-30 05:12:19.4165+00   | 2025-05-30 05:12:20.448916+00 | f       | 127.0.0.1:8181
2

There is not currently a solution or workaround for this.

The upcoming remote agent support will potentially be helpful in identifying what's currently in use and what is not.

3

In this case I will do it manually, one by one.
The active token is the last in the sorted list for each bind_address.

select token, created_at, updated_at,  bind_address from frontends where z_id = 'Qup3x3wguV' and deleted='f' order by bind_address, updated_at;
    token     |          created_at           |          updated_at           |  bind_address  
--------------+-------------------------------+-------------------------------+----------------
 vqsKLoagwTXY | 2025-05-11 16:11:37.036265+00 | 2025-05-11 16:11:39.037117+00 | 127.0.0.1:8181
 k2yskPu58QJc | 2025-05-24 16:30:26.299639+00 | 2025-05-24 16:30:27.334236+00 | 127.0.0.1:8181
 I5AADwDT21h4 | 2025-05-11 17:46:57.305645+00 | 2025-05-11 17:46:58.749567+00 | 127.0.0.1:9191
 k0jYuB9t7NVl | 2025-05-24 16:30:29.222431+00 | 2025-05-24 16:30:30.321485+00 | 127.0.0.1:9191
 yXbTPAMcExkw | 2025-05-11 16:11:31.564323+00 | 2025-05-11 16:11:33.314581+00 | 127.0.0.1:9443
 UtEGH0lwYtjf | 2025-05-24 16:30:23.121607+00 | 2025-05-24 16:30:24.42459+00  | 127.0.0.1:9443
(6 rows)

So the result is as below

select token, created_at, updated_at,  bind_address from frontends where z_id = 'Qup3x3wguV' and deleted='f' order by bind_address, updated_at;
    token     |          created_at           |          updated_at           |  bind_address  
--------------+-------------------------------+-------------------------------+----------------
 k2yskPu58QJc | 2025-05-24 16:30:26.299639+00 | 2025-05-24 16:30:27.334236+00 | 127.0.0.1:8181
 k0jYuB9t7NVl | 2025-05-24 16:30:29.222431+00 | 2025-05-24 16:30:30.321485+00 | 127.0.0.1:9191
 UtEGH0lwYtjf | 2025-05-24 16:30:23.121607+00 | 2025-05-24 16:30:24.42459+00  | 127.0.0.1:9443
(3 rows)

I hope it is correct. So far I don't see any error in logs.

4

This is probably true with the usage patterns in your environment, but could not be generalized to an implementation in zrok.

Generally, in practice, most users self-clean these things, and limits ensure that they do not produce too many of them before hitting a limit.

5

I have noticed a proliferation of unused frontend tokens.

Firstly I did not have a clue how it has happened.

Today I have discovered that these dead tokens have the same cause - a power line cutoff.

Zrok had not time to release the shares. When the power comes back and user starts its home computer zrok creates a new token.