โš™๏ธ Configuration Guide

July 2, 2026 ยท View on GitHub

Pulse uses a split-configuration model to ensure security and flexibility.

FilePurposeSecurity Level
.envAuthentication & Secrets๐Ÿ”’ Critical (Read-only by owner)
.encryption.keyEncryption key for .enc files๐Ÿ”’ Critical
.audit-signing.keyAudit log signing key (Pro/legacy Pro+/Cloud, encrypted)๐Ÿ”’ Sensitive
system.jsonGeneral Settings๐Ÿ“ Standard
nodes.encNode Credentials๐Ÿ”’ Encrypted (AES-256-GCM)
alerts.jsonAlert Rules๐Ÿ“ Standard
email.encSMTP settings๐Ÿ”’ Encrypted
webhooks.encWebhook URLs + headers๐Ÿ”’ Encrypted
apprise.encApprise notification config๐Ÿ”’ Encrypted
oidc.encOIDC provider config๐Ÿ”’ Encrypted
sso.encSAML/SSO provider config๐Ÿ”’ Encrypted
api_tokens.jsonAPI token records (hashed)๐Ÿ”’ Sensitive
ai.encAI settings and credentials๐Ÿ”’ Encrypted
ai_findings.jsonAI Patrol findings๐Ÿ“ Standard
ai_patrol_runs.jsonAI Patrol run history๐Ÿ“ Standard
ai_usage_history.jsonAI usage history๐Ÿ“ Standard
ai_chat_sessions.jsonLegacy AI chat sessions (UI sync)๐Ÿ“ Standard
license.encRelay/Pro/legacy Pro+/Cloud license key๐Ÿ”’ Encrypted
host_metadata.jsonHost notes, tags, and AI command overrides๐Ÿ“ Standard
docker_metadata.jsonDocker metadata cache๐Ÿ“ Standard
guest_metadata.jsonGuest notes and metadata๐Ÿ“ Standard
agent_profiles.jsonAgent configuration profiles (Pro/legacy Pro+/Cloud)๐Ÿ“ Standard
agent_profile_assignments.jsonAgent profile assignments (Pro/legacy Pro+/Cloud)๐Ÿ“ Standard
profile-versions.jsonAgent profile version history (Pro/legacy Pro+/Cloud)๐Ÿ“ Standard
profile-deployments.jsonAgent profile deployment status (Pro/legacy Pro+/Cloud)๐Ÿ“ Standard
profile-changelog.jsonAgent profile change log (Pro/legacy Pro+/Cloud)๐Ÿ“ Standard
recovery_tokens.jsonRecovery tokens (short-lived)๐Ÿ”’ Sensitive
sessions.jsonPersistent sessions (includes OIDC refresh tokens)๐Ÿ”’ Sensitive
update-history.jsonlUpdate history log (in-app updates)๐Ÿ“ Standard
metrics.dbPersistent metrics history (SQLite)๐Ÿ“ Standard
audit.dbAudit log database (Pro/legacy Pro+/Cloud, SQLite)๐Ÿ”’ Sensitive
baselines.jsonAI baseline data for anomaly detection๐Ÿ“ Standard
ai_correlations.jsonAI correlation analysis cache๐Ÿ“ Standard
ai_patterns.jsonAI pattern detection data๐Ÿ“ Standard
ai_remediations.jsonAI remediation suggestions๐Ÿ“ Standard
ai_incidents.jsonAI incident tracking๐Ÿ“ Standard
org.jsonOrganization metadata (multi-tenant)๐Ÿ“ Standard

Guest metadata entries are keyed by the canonical guest ID format instance:node:vmid (for example, pve1:node1:100). Legacy dash-separated keys are migrated automatically.

All files are located in /etc/pulse/ (Systemd) or /data/ (Docker/Kubernetes) by default.

Path overrides:

  • PULSE_DATA_DIR sets the base directory for system.json, encrypted files, and the bootstrap token.
  • PULSE_METRICS_DB_PATH sets only the metrics SQLite database path. Use this for tmpfs-backed metrics history without moving secrets or config off the persistent data directory.

Multi-tenant layout:

  • Default org uses the root data directory for backward compatibility.
  • Non-default orgs store data under /orgs/<org-id>/.
  • Migration may create /orgs/default/ and symlinks in the root data directory.

๐Ÿ” Authentication (.env)

This file controls access to Pulse. It is never exposed to the UI.

# /etc/pulse/.env

# Admin Credentials (bcrypt hashed; plain text auto-hashes on startup)
PULSE_AUTH_USER='admin'
PULSE_AUTH_PASS='\$2a\$12$...' 
Advanced: Automated Setup (Skip UI)

You can pre-configure Pulse by setting environment variables. Plain text credentials are automatically hashed on startup.

# Docker Example
docker run -d \
  -e PULSE_AUTH_USER=admin \
  -e PULSE_AUTH_PASS=secret123 \
  rcourtman/pulse:latest
Advanced: OIDC / SSO

Configure Single Sign-On in Settings โ†’ Security โ†’ Single Sign-On, or use environment variables to lock the configuration.

See OIDC Documentation and Proxy Auth for details.

Environment overrides (lock the corresponding UI fields):

VariableDescription
OIDC_ENABLEDEnable OIDC (true/false)
OIDC_ISSUER_URLIssuer URL from your IdP
OIDC_CLIENT_IDClient ID
OIDC_CLIENT_SECRETClient secret
OIDC_REDIRECT_URLOverride redirect URL (defaults to <public-url>/api/oidc/<provider-id>/callback)
OIDC_LOGOUT_URLOptional logout URL
OIDC_SCOPESSpace or comma-separated scopes
OIDC_USERNAME_CLAIMClaim for username (default: preferred_username)
OIDC_EMAIL_CLAIMClaim for email (default: email)
OIDC_GROUPS_CLAIMClaim for groups
OIDC_ALLOWED_GROUPSAllowed groups (space or comma-separated)
OIDC_ALLOWED_DOMAINSAllowed email domains (space or comma-separated)
OIDC_ALLOWED_EMAILSAllowed emails (space or comma-separated)
OIDC_GROUP_ROLE_MAPPINGSComma-separated group=role mappings (Pro/legacy Pro+/Cloud)
OIDC_CA_BUNDLECustom CA bundle path

Note: API_TOKEN / API_TOKENS in .env are legacy and ignored at runtime in v6. Manage API tokens in the UI (api_tokens.json) for supported behavior.


๐Ÿ–ฅ๏ธ System Settings (system.json)

Controls runtime behavior like logging, polling intervals, and UI preferences. Legacy port fields in system.json are ignored; use FRONTEND_PORT instead.

Example system.json
{
  "pvePollingInterval": 10,       // Seconds
  "backendPort": 3000,            // Legacy (unused)
  "frontendPort": 7655,           // Legacy (ignored; use FRONTEND_PORT)
  "logLevel": "info",             // debug, info, warn, error
  "autoUpdateEnabled": false,     // Enable auto-update checks
  "adaptivePollingEnabled": false, // Smart polling for large clusters
  "allowedOrigins": "",           // CORS allowlist (single origin or "*")
  "allowEmbedding": false,        // Allow iframe embedding
  "allowedEmbedOrigins": "",      // Comma-separated origins for iframe embedding
  "webhookAllowedPrivateCIDRs": "" // Allowlist for private webhook targets
}

Note: logFormat is only configurable via the LOG_FORMAT environment variable, not in system.json. Note: autoUpdateTime is stored by the UI, but the systemd timer uses its own schedule.

Supported system.json Keys

Numeric intervals are seconds unless noted otherwise.

KeyDescription
pvePollingIntervalPVE polling interval
pbsPollingIntervalPBS polling interval
pmgPollingIntervalPMG polling interval
backupPollingIntervalBackup polling interval (0 = auto)
backupPollingEnabledEnable backup polling
adaptivePollingEnabledEnable adaptive polling
adaptivePollingBaseIntervalBase interval for adaptive polling
adaptivePollingMinIntervalMinimum adaptive polling interval
adaptivePollingMaxIntervalMaximum adaptive polling interval
connectionTimeoutAPI connection timeout
logLevelServer log level (debug, info, warn, error)
allowedOriginsCORS allowlist (single origin or *)
allowEmbeddingAllow iframe embedding
allowedEmbedOriginsComma-separated frame-ancestors allowlist
webhookAllowedPrivateCIDRsAllowlist for private webhook targets
updateChannelUpdate channel (stable or rc)
autoUpdateEnabledAllow one-click updates
autoUpdateCheckIntervalUpdate check interval (hours)
autoUpdateTimeUI-stored preferred update time
publicURLPublic URL used in links/notifications
hideLocalLoginHide username/password login form
temperatureMonitoringEnabledEnable temperature monitoring (where supported)
dnsCacheTimeoutDNS cache timeout
sshPortDefault SSH port for temperature collection
discoveryEnabledEnable auto-discovery
discoverySubnetCIDR or auto
discoveryConfigDiscovery tuning object (see below)
themeUI theme (light, dark, or empty for system)
fullWidthModeUI layout preference
metricsRetentionRawHoursRaw metrics retention (hours)
metricsRetentionMinuteHoursMinute metrics retention (hours)
metricsRetentionHourlyDaysHourly metrics retention (days)
metricsRetentionDailyDaysDaily metrics retention (days)
disableDockerUpdateActionsHide Docker update actions in UI
backendPortLegacy (unused)
frontendPortLegacy (ignored; use FRONTEND_PORT)

discoveryConfig supports:

  • environmentOverride, subnetAllowlist, subnetBlocklist
  • maxHostsPerScan, maxConcurrent, enableReverseDns, scanGateways
  • dialTimeoutMs, httpTimeoutMs

Common Overrides (Environment Variables)

Environment variables take precedence over system.json.

VariableDescriptionDefault
FRONTEND_PORTPublic listening port (web UI, API, and agent ingest)7655
PORTDeprecated legacy alias for FRONTEND_PORT, honored only when FRONTEND_PORT is unset. Logs a deprecation warning at startup; switch to FRONTEND_PORT.(unset)
PULSE_AGENT_INGEST_PORTOptional dedicated port that serves only agent ingest (/api/agents/*), network-isolated from the web UI and the rest of the API. 0 = disabled (single port). See Split-Port Agent Ingest.0
LOG_LEVELLog verbosity (see below)info
LOG_FORMATLog output format (auto, json, console)auto
LOG_FILELog file path (enables file logging)(unset)
LOG_MAX_SIZELog rotation size (MB)100
LOG_MAX_AGEKeep rotated logs for N days (0 disables cleanup)30
LOG_COMPRESSGzip rotated logstrue

Log Levels

LevelDescription
errorOnly errors and critical issues
warnErrors + warnings (recommended for minimal logging)
infoStandard operational messages (startup, connections, alerts)
debugVerbose output including per-guest/storage polling details

Tip: If your syslog is being flooded with Pulse messages, set LOG_LEVEL=warn to significantly reduce log volume while still capturing important events.

VariableDescriptionDefault
PULSE_PUBLIC_URLURL for UI links, notifications, and OIDC. For reverse proxies, keep this as the public URL and use PULSE_AGENT_CONNECT_URL for agent installs if you need a direct/internal address.Auto-detected
PULSE_PRO_TRIAL_SIGNUP_URLLegacy hosted commercial base URL retained for hosted entitlement refresh compatibility. The path is ignored for refresh and normal self-hosted v6 UI must not surface trial signup. Must be absolute http(s) URL.https://cloud.pulserelay.pro
PULSE_AGENT_CONNECT_URLDedicated direct URL for agents (overrides PULSE_PUBLIC_URL for agent install commands). Alias: PULSE_AGENT_URL.(unset)
PULSE_AGENT_CONFIG_SIGNING_KEYBase64 Ed25519 private key used to sign remote agent config payloads.(unset)
PULSE_AGENT_CONFIG_PUBLIC_KEYSComma-separated base64 Ed25519 public keys (raw 32-byte or PKIX-encoded) trusted by agents.(unset)
PULSE_AGENT_CONFIG_SIGNATURE_REQUIREDRequire signed remote config payloads (set on Pulse and agents).false
ALLOWED_ORIGINSCORS allowed origin (* or a single origin). Empty = same-origin only.(unset)
DISCOVERY_ENABLEDAuto-discover nodesfalse
DISCOVERY_SUBNETCIDR or autoauto
DISCOVERY_ENVIRONMENT_OVERRIDEForce discovery environment (auto, native, docker-host, docker-bridge, lxc-privileged, lxc-unprivileged)auto
DISCOVERY_SUBNET_ALLOWLISTComma-separated CIDRs allowed for discovery(empty)
DISCOVERY_SUBNET_BLOCKLISTComma-separated CIDRs excluded from discovery169.254.0.0/16
DISCOVERY_MAX_HOSTS_PER_SCANMax hosts to scan per run1024
DISCOVERY_MAX_CONCURRENTMax concurrent discovery probes50
DISCOVERY_ENABLE_REVERSE_DNSEnable reverse DNS lookup (true/false)true
DISCOVERY_SCAN_GATEWAYSInclude gateway IPs in discovery (true/false)true
DISCOVERY_DIAL_TIMEOUT_MSTCP dial timeout (ms)1000
DISCOVERY_HTTP_TIMEOUT_MSHTTP probe timeout (ms)2000
PULSE_AUTH_HIDE_LOCAL_LOGINHide username/password formfalse
DEMO_MODEEnable read-only demo modefalse
PULSE_TRUSTED_PROXY_CIDRSComma-separated IPs/CIDRs trusted to supply X-Forwarded-For/X-Real-IP(unset)
PULSE_TRUSTED_NETWORKSComma-separated CIDRs treated as trusted local networks (does not bypass auth)(unset)
ALLOW_UNPROTECTED_EXPORTAllow unauthenticated config export on public networks when no auth is configured (use with caution)false

Split-Port Agent Ingest (Network Isolation)

By default Pulse serves the web UI, the REST API, and agent check-in together on FRONTEND_PORT. For deployments that expose Pulse to monitored hosts across an untrusted network (for example, a managed service provider whose clients' Proxmox nodes reach a central Pulse server over the internet), you can move agent check-in onto its own dedicated port and keep the web UI and management API on a separate, firewalled port.

Set PULSE_AGENT_INGEST_PORT to a port other than FRONTEND_PORT:

PULSE_AGENT_INGEST_PORT=7656

When enabled:

  • The dedicated port serves only the agent-ingest routes (/api/agents/*). Every other path, including the web UI, login, and the management API, returns 404. A host that can reach the agent port cannot pivot to the management interface.
  • The main FRONTEND_PORT listener is unchanged and still serves everything (including agent ingest), so existing single-port installs keep working. The dedicated listener is purely additive.
  • The value is validated at startup: it must be between 1 and 65535 and must differ from FRONTEND_PORT and the HTTP redirect port. An invalid value is rejected.

Expose only PULSE_AGENT_INGEST_PORT to your monitored hosts and keep FRONTEND_PORT on a private network or behind your firewall/VPN. Point agents at the dedicated port by setting PULSE_AGENT_CONNECT_URL to that port's public address, so generated agent install commands send check-ins there:

PULSE_AGENT_INGEST_PORT=7656
PULSE_AGENT_CONNECT_URL=https://agents.example.com:7656

Agents then post telemetry to https://agents.example.com:7656/api/agents/agent/report, while the web UI and management API remain reachable only on the private FRONTEND_PORT listener.

Iframe Embedding (system.json)

Embedding is controlled by system.json and the UI (Settings โ†’ System โ†’ Network):

  • allowEmbedding (boolean): enables iframe embedding
  • allowedEmbedOrigins (comma-separated): restricts frame-ancestors when embedding is enabled

When allowEmbedding is false, Pulse sends X-Frame-Options: DENY and frame-ancestors 'none'.

Monitoring Overrides

VariableDescriptionDefault
PVE_POLLING_INTERVALPVE metrics polling frequency10s
PBS_POLLING_INTERVALPBS metrics polling frequency60s
PMG_POLLING_INTERVALPMG metrics polling frequency60s
CONNECTION_TIMEOUTAPI connection timeout60s
BACKUP_POLLING_CYCLESPoll cycles between backup checks10
ENABLE_BACKUP_POLLINGEnable backup job monitoringtrue
BACKUP_POLLING_INTERVALBackup polling frequency0 (Auto)
ENABLE_TEMPERATURE_MONITORINGEnable temperature monitoring (where supported)true
SSH_PORTSSH port for temperature collection over SSH22
ADAPTIVE_POLLING_ENABLEDEnable smart polling for large clustersfalse
ADAPTIVE_POLLING_BASE_INTERVALBase interval for adaptive polling10s
ADAPTIVE_POLLING_MIN_INTERVALMinimum adaptive polling interval5s
ADAPTIVE_POLLING_MAX_INTERVALMaximum adaptive polling interval5m
GUEST_METADATA_MIN_REFRESH_INTERVALMinimum refresh for guest metadata2m
GUEST_METADATA_REFRESH_JITTERJitter for guest metadata refresh45s
GUEST_METADATA_RETRY_BACKOFFRetry backoff for guest metadata30s
GUEST_METADATA_MAX_CONCURRENTMax concurrent guest metadata fetches4
DNS_CACHE_TIMEOUTCache TTL for DNS lookups5m
MAX_POLL_TIMEOUTMaximum time per polling cycle3m
PULSE_DISABLE_DOCKER_UPDATE_ACTIONSHide Docker update buttons (read-only mode)false
PULSE_ENABLE_PROXMOX_GUEST_DOCKER_DETECTIONAllow Proxmox-side LXC Docker socket hinting with pct execfalse
PULSE_ENABLE_PROXMOX_GUEST_DOCKER_INVENTORYAllow Proxmox-side minimal LXC Docker inventory collection with pct exec; collects Docker host/container summary, not inspect/env/mount/process datafalse
PULSE_PROXMOX_GUEST_DOCKER_INVENTORY_VMIDSOptional comma-separated VMID allowlist for Proxmox-side LXC Docker inventory; empty means all running Docker-enabled LXCs are eligible when inventory is enabled(unset)
PULSE_TELEMETRYOutbound usage telemetry (details); set false to disabletrue

Logging Overrides

VariableDescriptionDefault
LOG_FILELog file path (empty = stderr only)(unset)
LOG_MAX_SIZELog file max size (MB)100
LOG_MAX_AGELog file retention (days, 0 disables cleanup)30
LOG_COMPRESSCompress rotated logstrue

Update Settings (system.json)

These are stored in system.json and managed via the UI.

KeyDescriptionDefault
updateChannelUpdate channel (stable or rc)stable
autoUpdateEnabledAllow one-click updatesfalse
autoUpdateCheckIntervalBackground update check interval in hours (0 disables)24
autoUpdateTimeStored UI preference (systemd timer has its own schedule)03:00

Note: Update settings are stored in system.json. Legacy .env entries (UPDATE_CHANNEL, AUTO_UPDATE_ENABLED, AUTO_UPDATE_CHECK_INTERVAL, AUTO_UPDATE_TIME) are kept in sync for backwards compatibility but are not read at runtime.

stable is the default and recommended production channel. rc is an opt-in preview channel. In v6, unattended systemd auto-updates remain stable-only even when updateChannel is set to rc.

Auto-Import (Bootstrap)

You can auto-import an encrypted backup on first startup. This is useful for automated provisioning and test environments.

VariableDescription
PULSE_INIT_CONFIG_DATABase64 or raw contents of an export bundle (auto-imports on first start)
PULSE_INIT_CONFIG_FILEPath to an export bundle on disk (auto-imports on first start)
PULSE_INIT_CONFIG_PASSPHRASEPassphrase for the export bundle (required)

Note: PULSE_INIT_CONFIG_URL is only supported by the hidden pulse config auto-import command, not by the server startup auto-import.

Developer/Test Overrides (Environment Variables)

These are primarily for development or test harnesses and should not be used in production.

VariableDescriptionDefault
PULSE_UPDATE_SERVEROverride update server base URL (testing only)(unset)
PULSE_UPDATE_STAGE_DELAY_MSAdds artificial delays between update stages (testing only)(unset)
PULSE_ALLOW_DOCKER_UPDATESExpose update UI/actions in Docker (debug only)false
PULSE_DEV_ALLOW_CONTAINER_SSHAllow SSH-based temperature collection from containers (dev/test only)false
PULSE_AI_ALLOW_LOOPBACKAllow AI tool HTTP fetches to loopback addressesfalse
PULSE_LICENSE_PUBLIC_KEYOverride embedded license public key (base64, dev only)(unset)
PULSE_LICENSE_DEV_MODESkip license verification (development only)false

Metrics Retention (Tiered)

Persistent metrics history uses tiered retention windows. These values are stored in system.json and can be adjusted for storage vs history depth:

  • metricsRetentionRawHours
  • metricsRetentionMinuteHours
  • metricsRetentionHourlyDays
  • metricsRetentionDailyDays

See METRICS_HISTORY.md for details.

Prometheus Metrics Endpoint

The /metrics listener is separate from the main UI/API listener and binds to loopback by default.

VariableDescriptionDefault
PULSE_METRICS_PORTMetrics listener port9091
PULSE_METRICS_BIND_ADDRESSMetrics listener bind address127.0.0.1
PULSE_METRICS_TOKENOptional bearer token for /metrics(empty)
PULSE_METRICS_ALLOW_INSECURE_REMOTEExplicit opt-in to serve a metrics bearer token over non-loopback plaintext HTTPfalse

For remote scraping with PULSE_METRICS_TOKEN, prefer a local scraper, tunnel, VPN-private path, or TLS/mTLS reverse proxy. Pulse refuses non-loopback plaintext token scraping unless PULSE_METRICS_ALLOW_INSECURE_REMOTE=true is set.


๐Ÿ”” Alerts (alerts.json)

Pulse uses a powerful alerting engine with hysteresis (separate trigger/clear thresholds) to prevent flapping.

Managed via UI: Alerts โ†’ Thresholds

Manual Configuration (JSON)
{
  "guestDefaults": {
    "cpu": { "trigger": 90, "clear": 80 },
    "memory": { "trigger": 85, "clear": 72.5 }
  },
  "schedule": {
    "quietHours": {
      "enabled": true,
      "start": "22:00",
      "end": "06:00"
    }
  }
}

Availability Checks (availability_targets.enc)

Availability checks are agentless probes for devices and services where Pulse cannot install an agent or does not need full machine telemetry. Use them for simple ping monitoring, TCP service checks, and HTTP/HTTPS status checks.

Managed via UI: Settings -> Monitoring -> Availability checks

Supported protocols:

ProtocolUse caseRequired fields
icmpPing-only reachability for devices, computers, and appliancesaddress
pingAPI input alias for icmp; saved targets return icmpaddress
tcpA reachable port such as MQTT, SSH, or a custom serviceaddress, port
http / httpsWeb UI or health endpoint availabilityaddress, optional port, optional path

Saved targets include name, targetKind (machine, service, or device), address, protocol, enabled, polling interval, timeout, failure threshold, and an optional linkedResourceId. ICMP ping is the default probe for new targets. Availability targets publish network-endpoint resources and can raise downtime alerts after the configured failure threshold.

Example API payload for simple ping monitoring:

{
  "name": "Garage temperature sensor",
  "targetKind": "device",
  "address": "garage-sensor.local",
  "protocol": "ping",
  "enabled": true
}

Pulse stores and returns that target as protocol: "icmp" so dashboards, alerts, and resource projections keep one canonical protocol value.


๐Ÿ”’ HTTPS / TLS

Enable HTTPS by providing certificate files via environment variables.

# Systemd
HTTPS_ENABLED=true
TLS_CERT_FILE=/etc/pulse/cert.pem
TLS_KEY_FILE=/etc/pulse/key.pem

# Docker
docker run --init -e HTTPS_ENABLED=true \
  -v /path/to/certs:/certs \
  -e TLS_CERT_FILE=/certs/cert.pem \
  -e TLS_KEY_FILE=/certs/key.pem ...

Important (Docker with HTTPS): Always use --init (or init: true in docker-compose) when enabling HTTPS. The Alpine-based healthcheck uses busybox wget, which spawns ssl_client subprocesses. Without an init process to reap them, these become zombie processes over time.


๐Ÿ›ก๏ธ Security Best Practices

  1. Permissions: Ensure .env and nodes.enc are 600 (read/write by owner only).
  2. Backup hygiene: Back up .env separately from system.json.
  3. Tokens: Use scoped API tokens for agents instead of the admin password.

๐Ÿ”‘ API Tokens

API tokens provide scoped, revocable access to Pulse. Manage tokens in Settings โ†’ Security โ†’ API Tokens.

The token shown during first-run setup is the primary automation API token for that Pulse instance. It is separate from your web login password and is meant for agents, scripts, integrations, kiosks, and temporary setup handoffs. Tokens are shown once; later token rows show only identifying hints such as prefix, suffix, label, scopes, and last-used metadata.

Revoking a token is safe for Pulse itself, but it immediately breaks any agent, script, kiosk, or integration still using that token. When a consumer needs to stay online, create and install a replacement token first, then revoke the old one. An agent whose token has been revoked stops authenticating until it is reinstalled or reconfigured with a valid token.

Token Scopes

ScopeDescription
* (Full access)All permissions (legacy, not recommended)
monitoring:readView dashboards, metrics, alerts
monitoring:writeAcknowledge/silence alerts
docker:reportDocker / Podman agent telemetry submission
docker:manageDocker / Podman container lifecycle actions (restart, stop)
kubernetes:reportKubernetes agent telemetry submission
kubernetes:manageKubernetes cluster management
agent:reportAgent host telemetry submission
agent:config:readRead agent config payloads
agent:manageManage registered agents (unlink/delete/config)
settings:readRead configuration
settings:writeModify configuration

Presets

The UI offers quick presets for common use cases:

PresetScopesUse Case
Kiosk / Dashboardmonitoring:readRead-only dashboard displays
Agent hostagent:reportAgent host telemetry authentication
Docker / Podman reportdocker:reportDocker / Podman agent (read-only)
Docker / Podman managedocker:report, docker:manageDocker / Podman agent with actions
Settings readsettings:readRead-only config access
Settings adminsettings:read, settings:writeFull config access

Kiosk Mode

For unattended displays (wall monitors, dashboards), use a kiosk token to avoid cookie persistence issues:

  1. Go to Settings โ†’ Security โ†’ API Tokens
  2. Click New token and select the Kiosk / Dashboard preset
  3. Copy the generated token
  4. Access Pulse via URL with token:
    https://your-pulse-url/?token=YOUR_TOKEN_HERE
    

Kiosk tokens:

  • Grant read-only dashboard access (monitoring:read scope)
  • Hide the Settings tab automatically
  • Work without cookies (token in URL)
  • Can be revoked anytime from the UI

Security note: URL tokens appear in browser history and server logs. Use only for read-only dashboard access on trusted networks.


TrueNAS Integration {#truenas}

Pulse v6 supports first-class TrueNAS SCALE and CORE monitoring.

Adding a TrueNAS Instance

  1. Go to Settings โ†’ TrueNAS.
  2. Click Add Connection.
  3. Enter the URL (e.g., https://truenas.local) and an API key.
  4. Click Test Connection to verify, then Save.

Creating a TrueNAS API Key

On your TrueNAS system:

  1. Navigate to the TrueNAS UI โ†’ Settings โ†’ API Keys.
  2. Click Add and create a new read-only key.
  3. Copy the key value and paste it into Pulse.

What Gets Monitored

DataWhere it appears
System info (CPU, memory, uptime)Infrastructure page
Virtual machinesTrueNAS Overview
AppsTrueNAS Overview
ZFS Pools & datasetsStorage page
Physical disksStorage page
ZFS SnapshotsRecovery page
Replication tasksRecovery page
TrueNAS alertsAlerts page

TrueNAS connections are stored encrypted in truenas.enc.


Relay / Mobile Remote Access (Relay and Above) {#relay}

The relay protocol provides end-to-end encrypted remote access foundations for Pulse mobile connectivity.

Supported Pulse Mobile clients pair here using the generated QR code or deep link once relay is enabled for this instance.

Configuration

  1. Go to Settings โ†’ Relay.
  2. Toggle relay On.
  3. Use the QR Code or Deep Link to pair a supported Pulse Mobile client.

Environment Overrides

For headless / container deployments that need to bootstrap relay without going through the UI, two environment variables override the persisted relay.enc values at load time:

VariableDescriptionDefault
PULSE_RELAY_ENABLEDEnable/disable relay (true/false/yes/no/1/0). Unset or unrecognized values leave the file value untouched.(unset)
PULSE_RELAY_SERVEROverride relay server URL. Must be a valid ws:// or wss:// URL with no userinfo, query, or fragment. Invalid values are logged and ignored.wss://relay.pulserelay.pro/ws/instance

Precedence: env vars beat the file. If you set PULSE_RELAY_ENABLED=true, saving the relay form in Settings โ†’ Relay will then persist the env-effective state to disk, so removing the env var later does not automatically revert relay back to its previous file-stored state โ€” clear relay in the UI as well if you want to fully disable it.

Security

  • All data is encrypted end-to-end using ECDH key exchange.
  • The relay server never sees plaintext monitoring data.
  • Each mobile session has its own encryption channel.
  • Requires a valid Relay, Pro, legacy Pro+, or Cloud license (gated by the relay feature key).

Relay config is stored encrypted in relay.enc.