Programmatically Fetching License Token from Grafana Cloud (Outside Grafana Pod)

ccareau · June 9, 2025, 7:45pm

Grafana version and OS

Grafana Enterprise v11.6.1, running in Kubernetes on Linux.

Context

Hi everyone, could use some help:
We currently run Grafana Enterprise with the license token (JWT) stored in AWS Secrets Manager, and synced into a Kubernetes Secret using External Secrets Operator (ESO). That Kubernetes Secret is then mounted into the Grafana pod.

The token is manually copied from Grafana Cloud into AWS Secrets Manager.

We’re exploring options to automate this process.

What we’re trying to achieve

We would like to automate the renewal of the license token by having a process that interacts directly with the license issuer (Grafana Cloud) to fetch a fresh token and store it back in AWS Secrets Manager.

Clarification

The Licensing API endpoints (like POST /api/licensing/token/renew) appear to be hosted on the Grafana instance itself, meaning they expect a valid existing token and operate within the running Grafana context (as shown here)

That’s not what we’re looking for.

We are looking for a way to programmatically fetch the license token directly from Grafana Cloud, outside the Grafana pod, ideally using a service account or API key, so we can:

Automate token retrieval
Store the fresh token in Secrets Manager
Ensure new pods start with a valid license without manual intervention

Question

Is such an external token retrieval flow officially supported by Grafana Labs? If not, is there a recommended pattern for achieving this in environments where secrets are centrally managed and pods are ephemeral?

Thanks in advance!
— Charles

jangaraj · June 9, 2025, 8:13pm

Try Grafana Cloud API (that’s not Grafana API, so don’t mix them):

But do you need that automation when:

ccareau · June 10, 2025, 3:40pm

Hello there, thanks for your answer!

`auto_refresh_license` Limitation

You’ve precisely hit on my core concern: the auto_refresh_license feature, while great for running instances, doesn’t propagate the refreshed token back to our external secret store. This means that even with auto-refresh enabled, the token in AWS Secrets Manager would quickly become stale.

Our primary goal is to ensure newly deployed Grafana pods (which are spun up frequently in our ephemeral Kubernetes environment) always start with a valid license, without any manual intervention. If the token in Secrets Manager isn’t updated by the auto-refresh, we’re back to Square One for every new pod that fetches from it. I created an access policy with the scopes license-tokens:read licenses:read but i am having a hard time finding the doc to understand how to use that access policy in the cloud API call to fetch my license token.

jangaraj · June 10, 2025, 4:29pm

Got it. You have an enterprise license, so I recommend contacting Grafana Enterprise support. They should address your case,

ccareau · June 10, 2025, 5:29pm

Yes will do, thanks for your help!

ccareau · June 10, 2025, 5:59pm

Found the solution: the endpoints to fetch the license are not documented but they actually exist, able to fetch the license token through this route https://www.grafana.com/api/licenses/<license_id>/tokens/download by authenticating using the token_id of the access policy in the authorization header.

Topic		Replies	Views
Where can I download license.jwt token filen? Authentication	1	2018	October 13, 2023
Where to find and download the license.jwt token? Configuration	2	27	May 4, 2025
Storing API tokens Grafana api	2	712	September 4, 2018
Open source to enterprise Installation templating , plugins	2	1769	December 1, 2023
Refreshing Token Daily Grafana api	6	76	March 25, 2025