Running `zerotier-cli -T**** join` returns `401`

Hi all,

I’m very new to ZeroTier, so it’s quite likely I’m misunderstanding how to use the -T switch. I’m currently trying on Ubuntu 18.04, but I don’t believe that’s relevant.

The command help says:

-T<token>               - Authentication token (default: auto)

I generated an API access token on ZeroTier Central

My “Access Control” policy is: PRIVATE (Nodes must be authorized to become members)
I tried:

  • sudo zerotier-cli -Tfull_path_to_file_containing_token join my_network_ID
  • sudo zerotier-cli -Tfilename_only join my_network_ID
  • sudo zerotier-cli -Tactual_token_value join my_network_ID

All of the above return:

401 join {}


  • Am I incorrectly understanding the purpose of that switch? Can a node only be authorized via the UI?
  • If auto is the default option for that switch, what are the other possible values?

Any insight will be much appreciated :pray:

I believe that the authentication token should be the one that zerotier generated when it was first installed. This is located in /var/lib/zerotier-one/authtoken.secret or ~/.zeroTierOneAuthToken on ubuntu.

There are two kinds of authentication tokens. One authenticates against the zerotier service running on your computer. The second authenticates against the external network controller API. The -T flag on the zerotier-cli command is the former local token. You can’t use the API token there.

Users must be authorized from the web UI or via the API as described here and here

Zerotier-cli does not directly use the management API at all I believe.

The two APIs are described here and here.

1 Like

zerotier-one runs in the background on a machine, and is interacted with via a REST api via the zerotier-cli command or the UI tray application. As it’s a rest API, an API key is generated on first start of ZeroTier and that’s what’s used to communicate with the backend. Assuming you’re using an administrator command prompt to use zerotier-cli, there’s nothing you need to do manually to make use of this API key. It’s done automatically.

The API key you generated at is not the same token for the same use. That’s a token for use against the API at and will not work with zerotier-cli

1 Like

Thanks a lot for clarifying, @maxwellfire! I didn’t realize there were 2 separate APIs.

What I was ultimately trying to achieve was to remove the need to authorize the member via the UI. I was hoping there’d be a way to pass an “auth key” of some sort to join a network as an authorized member programmatically.

Reading your reply, I understand that’s not possible :frowning:

Thank you, @zt-grant!

Your post and @maxwellfire’s answer my question. It just not the answer I was hoping for :grin:

If you make the proper request to the zerotier central API, then you can add your client id, and then when you join the network it will be already authorized.

using the example found here you with curl

curl -X POST -d '{"config": {"authorized": true}}' -H "Authorization: bearer <API_auth_token>"<network_id>/member/<client_id_to_authorize>

if you then joined the network with the same client_id_to_authorize then you shouldn’t have to authorize them in the UI

1 Like

Thanks, @maxwellfire!

That works perfectly for what I’m trying to do.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.