Skip to content

How do I install the inventory agent?

Requires Pro

In the Discovery module, under Inventory agents, create an enrollment token (shown exactly once), download the notory_agent.py script via “Download agent”, and run it on the endpoint with the environment variables NOTORY_URL and NOTORY_TOKEN — once as a test, then on a schedule (Task Scheduler / cron / launchd). The agent reports the operating system and installed software, and creates or updates the asset automatically.

Discovery module, from the Pro plan onward. On the endpoint, Python 3.8+ is enough — the reference script requires no extra packages and runs on Windows, Linux, and macOS. New devices count against your license’s asset limit.

  1. Open the “Inventory agents” section. Choose Discovery and scroll to the Inventory agents card. Under Name, give the token a label (e.g. “Sales laptops”) and click “Create token”.

    The 'Inventory agents' card — this is where you create enrollment tokens.
  2. Copy the token immediately. Notory displays the token exactly once (“Enrollment token — copy it now, it will not be shown again”). It starts with invagt_. Keep it safe — afterward, it can only be revoked, not shown again.

    The enrollment token is shown exactly once — copy it immediately.
  3. Download the agent. Click “Download agent” — you receive the notory_agent.py script (identical for Windows, Linux, and macOS).

  4. Run it on the endpoint. Set the two environment variables and run the script as a test:

    Windows (PowerShell)
    $env:NOTORY_URL = "https://demo.notory.io/api/v1"
    $env:NOTORY_TOKEN = "invagt_dein_token"
    python notory_agent.py
    Linux / macOS
    export NOTORY_URL="https://demo.notory.io/api/v1"
    export NOTORY_TOKEN="invagt_dein_token"
    python3 notory_agent.py

    On success, the script reports OK: 200 ….

  5. Schedule it. To keep the data current, schedule the call to run regularly — Windows: Task Scheduler (e.g. daily), Linux: cron (e.g. @daily), macOS: launchd or cron. In the agent list, you see “Last seen” for each token; use Revoke to permanently deactivate a token.

  • Agent authentication: The token is stored server-side only as a hash — which is why it can never be viewed again after creation. Every report authenticates via Authorization: Bearer invagt_…; a revoked token is immediately rejected with 401. The token is permanently bound to your tenant.
  • Upsert instead of duplicate: The agent sends a stable machine_id (Windows: MachineGuid, Linux: /etc/machine-id, macOS: IOPlatformUUID). Notory looks for an asset with this identifier (external_id): if found → update, otherwise → create (type Hardware, status Active, name = hostname). Repeated reports therefore don’t create duplicates.
  • License check (gating): Only new devices count against the asset limit; if it has been reached, Notory rejects the report with 403. Updates to existing assets are always possible.
  • Stored data: Manufacturer, model, and serial number land in the core fields; OS, OS version, IP address, and the software list (max. 2000 entries) go into the asset’s custom fields, together with agent_last_report (timestamp of the last report).
  • “Last seen”: With every report, Notory updates the token’s last_seen_at — so you can see in the agent list which device fleet is actively reporting.