The control plane
The control plane is the brain of Lookout. It receives reports from your agents, computes each server’s health, stores the latest state, and serves the dashboard. On managed plans we run it for you; on the Enterprise plan you run one control plane on-prem for your whole fleet.
Run it (on-prem)
On-prem customers get the lookout-server binary from their downloads page. Start it with your enrollment token:
LOOKOUT_TOKEN=your-secret ./lookout-server --addr :8080 --data lookout-data.jsonOptions
| Flag / env | Default | What it does |
|---|---|---|
--addr | :8080 | Address the HTTP server listens on. |
--data | lookout-data.json | Where the latest state is stored. |
LOOKOUT_TOKEN | (unset) | Shared token agents must present. If unset, reports are unauthenticated (dev only). |
Endpoints
GET /— the dashboard (overview of all servers).GET /server/<id>— one server’s detail page.GET /api/v1/servers— JSON list of servers with computed health.POST /api/v1/agents/report— where agents submit reports (token required).GET /healthz— liveness check.
Put it behind TLS
The control plane speaks plain HTTP so you can run it behind whatever you already trust. Always terminate TLS in front of it in production — never expose it directly to the internet. Two easy options:
- A reverse proxy (Caddy or nginx) that gets a certificate automatically and forwards to
localhost:8080. - Cloudflare Tunnel — exposes the dashboard with no open inbound ports at all (recommended). See On-prem deployment.
Then point your agents at the HTTPS URL with --server https://monitor.example.com.
Heads-up (MVP): today the control plane stores the latest state in a JSON file and authenticates agents with a shared token. History (time-series), a SQLite/Postgres store, and per-agent mTLS are on the roadmap. Don’t expose it without TLS.