Invalid Registration Token

Symptom

The cm-runner container fails on startup with one of:

ERROR  registration_failed code=invalid_token
ERROR  registration_failed code=expired_token
ERROR  registration_failed code=org_mismatch

The machine never appears in Runners → Your Machines.

Likely cause

Registration tokens are single-use, org-scoped, and expire after 1 hour. You hit this error when one of the following is true:

1. Token was already consumed by a previous successful registration.
2. Token has expired — more than 1 hour passed between generating it and the container picking it up.
3. Token belongs to a different org than the gateway API key currently bound to the agent.
4. Token was truncated or has whitespace — common with copy-paste from Slack / Notion / email.

Fix

Generate a fresh token

curl -X POST https://api.curate-me.ai/gateway/admin/runners/byovm/register-token \
  -H "X-CM-API-Key: cm_sk_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{"ttl_seconds": 3600}'

Copy the entire token value from the response (including the byovm_reg_ prefix). Re-run the agent with the new token:

docker rm -f cm-runner
docker run -d \
  --name cm-runner \
  --restart unless-stopped \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v cm-runner-data:/var/lib/cm-runner \
  -e CM_REGISTRATION_TOKEN=byovm_reg_NEW_TOKEN_HERE \
  -e CM_GATEWAY_URL=https://api.curate-me.ai \
  -e CM_AGENT_ID=$(hostname) \
  ghcr.io/curate-me-ai/cm-runner:latest

Confirm the org matches

The token is bound to whichever org owned the API key you used to generate it. If you have multiple orgs, the dashboard URL bar shows your active org — make sure it matches.

Where to find logs

docker logs cm-runner --tail 100 | grep -E "registration|register"

Server-side log entry: byovm_registration_failed in gateway logs, with the agent’s hostname and the redacted token prefix.

Related

• Machine Offline — agent registered but never reaches ONLINE
• Connect Your Machine quickstart