cozystack · IvanStukov · Feb 13, 2026 · Feb 13, 2026 · Feb 13, 2026 · Feb 13, 2026
@@ -18,63 +18,114 @@ Troubleshooting advice can be found on our [Troubleshooting Cheatsheet](/docs/v0
 
 ## Deploying Cozystack
 
-### How to allocate space on system disk for user storage
+<details>
+<summary>How to allocate space on system disk for user storage</summary>
 
 Deploying Cozystack, [How to install Talos on a single-disk machine]({{% ref "/docs/v0/install/how-to/single-disk" %}})
 
-### How to Enable KubeSpan
+</details>
+<br>
+
+<details>
+<summary>How to Enable KubeSpan</summary>
 
 Deploying Cozystack, [How to Enable KubeSpan]({{% ref "/docs/v0/install/how-to/kubespan" %}})
 
-### How to enable Hugepages
+</details>
+<br>
+
+<details>
+<summary>How to enable Hugepages</summary>
 
 Deploying Cozystack, [How to enable Hugepages]({{% ref "/docs/v0/install/how-to/hugepages" %}}).
 
+</details>
+<br>
 
-### What if my cloud provider does not support MetalLB
+<details>
+<summary>What if my cloud provider does not support MetalLB</summary>
 
 Most cloud providers don't support MetalLB.
 Instead of using it, you can expose the main ingress controller using the external IPs method.
 
 For deploying on Hetzner, follow the specialized [Hetzner installation guide]({{% ref "/docs/v0/install/providers/hetzner" %}}).
 For other providers, follow the [Cozystack installation guide, Public IP Setup]({{% ref "/docs/v0/install/cozystack#4b-public-ip-setup" %}}).
 
-### Public-network Kubernetes deployment
+</details>
+<br>
+
+<details>
+<summary>Public-network Kubernetes deployment</summary>
 
 Deploying Cozystack, [Deploy with public networks]({{% ref "/docs/v0/install/how-to/public-ip" %}}).
 
+</details>
+
 ## Operations
 
-### How to enable access to dashboard via ingress-controller
+<details>
+<summary>How to enable access to dashboard via ingress-controller</summary>
 
 Update your `ingress` application and enable `dashboard: true` option in it.
 Dashboard will become available under: `https://dashboard.<your_domain>`
 
+</details>
+<br>
 
-### How to configure Cozystack using FluxCD or ArgoCD
+<details>
+<summary>How to configure Cozystack using FluxCD or ArgoCD</summary>
 
 Here you can find reference repository to learn how to configure Cozystack services using GitOps approach:
 
 - https://github.com/aenix-io/cozystack-gitops-example
 
-### How to generate kubeconfig for tenant users
+</details>
+<br>
+
+<details>
+<summary>How to generate kubeconfig for tenant users</summary>
 
 Moved to [How to generate kubeconfig for tenant users]({{% ref "/docs/v0/operations/faq/generate-kubeconfig" %}}).
 
-### How to Rotate Certificate Authority
+</details>
+<br>
+
+<details>
+<summary>How to use ServiceAccount tokens for API access</summary>
+
+See [ServiceAccount Tokens for API Access]({{% ref "/docs/v0/operations/faq/serviceaccount-api-access" %}}).
+
+</details>
+<br>
+
+<details>
+<summary>How to Rotate Certificate Authority</summary>
 
 Moved to Cluster Maintenance, [How to Rotate Certificate Authority]({{% ref "/docs/v0/operations/cluster/rotate-ca" %}}).
 
-### How to cleanup etcd state
+</details>
+<br>
+
+<details>
+<summary>How to cleanup etcd state</summary>
 
 Moved to Troubleshooting: [How to clean up etcd state]({{% ref "/docs/v0/operations/troubleshooting/etcd#how-to-clean-up-etcd-state" %}}).
 
+</details>
+
 ## Bundles
 
-### How to overwrite parameters for specific components
+<details>
+<summary>How to overwrite parameters for specific components</summary>
 
 Moved to Cluster configuration, [Components reference]({{% ref "/docs/v0/operations/configuration/components#overwriting-component-parameters" %}}).
 
-### How to disable some components from bundle
+</details>
+<br>
+
+<details>
+<summary>How to disable some components from bundle</summary>
 
 Moved to Cluster configuration, [Components reference]({{% ref "/docs/v0/operations/configuration/components#enabling-and-disabling-components" %}}).
+
+</details>
@@ -2,6 +2,7 @@
 title: "How to generate kubeconfig for tenant users"
 linkTitle: "Generate tenant kubeconfig"
 description: "A guide on how to generate a kubeconfig file for tenant users in Cozystack."
+weight: 30
 aliases:
   - /docs/operations/faq/generate-kubeconfig
 ---

@@ -0,0 +1,91 @@
+---
+title: "ServiceAccount Tokens for API Access"
+linkTitle: "ServiceAccount API Access"
+description: "How to retrieve and use ServiceAccount tokens in Cozystack."
+weight: 20
+aliases:
+  - /docs/v0/operations/api-access
+  - /docs/operations/api-access
+---
+
+## Prerequisites
+
+Before you begin, make sure that:
+-   A tenant already exists in Cozystack.
+    See [Create a User Tenant]({{% ref "/docs/v0/getting-started/create-tenant" %}}) if you haven't created one yet.
+-   You have access to the tenant namespace — either via OIDC credentials or an administrative kubeconfig.
+-   `kubectl` is installed and configured.
+-   (Optional) `jq` is installed.
+
+
+## Retrieving the ServiceAccount Token
+
+Each tenant in Cozystack has a Secret that contains a ServiceAccount token.
+The Secret has the same name as the tenant and is located in the tenant's namespace.
+
+{{< tabs name="get_token" >}}
+{{% tab name="Dashboard" %}}
+
+1.  Log in to the Dashboard as a user with access to the tenant.
+1.  Switch context to the target tenant if needed.
+1.  On the left sidebar, navigate to the **Administration** → **Info** page and open the **Secrets** tab.
+1.  Find the secret named `tenant-<name>` (e.g. `tenant-team1`), where the **Key** is **token**.
+1.  Click the eye icon to reveal the **Value** field, then click the revealed data. The text will be copied to the clipboard automatically.
+
+{{% /tab %}}
+
+{{% tab name="kubectl" %}}
+
+Retrieve the token for a tenant named `<name>`:
+
+```bash
+kubectl -n tenant-<name> get tenantsecret tenant-<name> -o json | jq -r '.data.token | @base64d'
+```
+
+To store the token in a variable for subsequent commands:
+
+```bash
+export TOKEN=$(kubectl -n tenant-<name> get tenantsecret tenant-<name> -o json | jq -r '.data.token | @base64d')
+```
+
+{{% /tab %}}
+{{< /tabs >}}
+
+## Using the Token for API Access
+
+Once you have the token, you can [generate a kubeconfig]({{% ref "/docs/v0/operations/faq/generate-kubeconfig" %}}) for kubectl access, or use it directly with `curl` as shown below.
+
+{{% alert color="warning" %}}
+**Token Security**
+
+ServiceAccount tokens in Cozystack **do not expire** by default. Handle them with the same care as passwords.
+{{% /alert %}}
+
+### Test the Connection
+
+First, verify your kubectl context points to the correct Cozystack cluster:
+
+```bash
+kubectl config current-context
+kubectl cluster-info
+```
+
+Next, get the API server address:
+
+```bash
+export API_SERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
+```
+
+Then, extract the CA certificate from the tenant secret:
+
+```bash
+kubectl -n tenant-<name> get secret tenant-<name> -o jsonpath='{.data.ca\.crt}' | base64 -d > ca.crt
+```
+
+Now, test the connection:
+
+```bash
+curl --cacert ca.crt -H "Authorization: Bearer ${TOKEN}" ${API_SERVER}/api
+```
+
+> You can remove `ca.crt` after testing.
@@ -15,63 +15,114 @@ Troubleshooting advice can be found on our [Troubleshooting Cheatsheet](/docs/op
 
 ## Deploying Cozystack
 
-### How to allocate space on system disk for user storage
+<details>
+<summary>How to allocate space on system disk for user storage</summary>
 
 Deploying Cozystack, [How to install Talos on a single-disk machine]({{% ref "/docs/v1/install/how-to/single-disk" %}})
 
-### How to Enable KubeSpan
+</details>
+<br>
+
+<details>
+<summary>How to Enable KubeSpan</summary>
 
 Deploying Cozystack, [How to Enable KubeSpan]({{% ref "/docs/v1/install/how-to/kubespan" %}})
 
-### How to enable Hugepages
+</details>
+<br>
+
+<details>
+<summary>How to enable Hugepages</summary>
 
 Deploying Cozystack, [How to enable Hugepages]({{% ref "/docs/v1/install/how-to/hugepages" %}}).
 
+</details>
+<br>
 
-### What if my cloud provider does not support MetalLB
+<details>
+<summary>What if my cloud provider does not support MetalLB</summary>
 
 Most cloud providers don't support MetalLB.
 Instead of using it, you can expose the main ingress controller using the external IPs method.
 
 For deploying on Hetzner, follow the specialized [Hetzner installation guide]({{% ref "/docs/v1/install/providers/hetzner" %}}).
 For other providers, follow the [Cozystack installation guide, Public IP Setup]({{% ref "/docs/v1/install/cozystack#4b-public-ip-setup" %}}).
 
-### Public-network Kubernetes deployment
+</details>
+<br>
+
+<details>
+<summary>Public-network Kubernetes deployment</summary>
 
 Deploying Cozystack, [Deploy with public networks]({{% ref "/docs/v1/install/how-to/public-ip" %}}).
 
+</details>
+
 ## Operations
 
-### How to enable access to dashboard via ingress-controller
+<details>
+<summary>How to enable access to dashboard via ingress-controller</summary>
 
 Update your `ingress` application and enable `dashboard: true` option in it.
 Dashboard will become available under: `https://dashboard.<your_domain>`
 
+</details>
+<br>
 
-### How to configure Cozystack using FluxCD or ArgoCD
+<details>
+<summary>How to configure Cozystack using FluxCD or ArgoCD</summary>
 
 Here you can find reference repository to learn how to configure Cozystack services using GitOps approach:
 
 - https://github.com/aenix-io/cozystack-gitops-example
 
-### How to generate kubeconfig for tenant users
+</details>
+<br>
+
+<details>
+<summary>How to generate kubeconfig for tenant users</summary>
 
 Moved to [How to generate kubeconfig for tenant users]({{% ref "/docs/v1/operations/faq/generate-kubeconfig" %}}).
 
-### How to Rotate Certificate Authority
+</details>
+<br>
+
+<details>
+<summary>How to use ServiceAccount tokens for API access</summary>
+
+See [ServiceAccount Tokens for API Access]({{% ref "/docs/v1/operations/faq/serviceaccount-api-access" %}}).
+
+</details>
+<br>
+
+<details>
+<summary>How to Rotate Certificate Authority</summary>
 
 Moved to Cluster Maintenance, [How to Rotate Certificate Authority]({{% ref "/docs/v1/operations/cluster/rotate-ca" %}}).
 
-### How to cleanup etcd state
+</details>
+<br>
+
+<details>
+<summary>How to cleanup etcd state</summary>
 
 Moved to Troubleshooting: [How to clean up etcd state]({{% ref "/docs/v1/operations/troubleshooting/etcd#how-to-clean-up-etcd-state" %}}).
 
+</details>
+
 ## Bundles
 
-### How to overwrite parameters for specific components
+<details>
+<summary>How to overwrite parameters for specific components</summary>
 
 Moved to Cluster configuration, [Components reference]({{% ref "/docs/v1/operations/configuration/components#overwriting-component-parameters" %}}).
 
-### How to disable some components from bundle
+</details>
+<br>
+
+<details>
+<summary>How to disable some components from bundle</summary>
 
 Moved to Cluster configuration, [Components reference]({{% ref "/docs/v1/operations/configuration/components#enabling-and-disabling-components" %}}).
+
+</details>
@@ -2,6 +2,9 @@
 title: "How to generate kubeconfig for tenant users"
 linkTitle: "Generate tenant kubeconfig"
 description: "A guide on how to generate a kubeconfig file for tenant users in Cozystack."
+weight: 30
+aliases:
+  - /docs/v1/operations/faq/generate-kubeconfig
 ---
 
 To generate a `kubeconfig` for tenant users, use the following script.