The documentation for opncentral (https://docs.opnsense.org/vendor/deciso/opncentral.html#users-groups) says:
QuoteWhen users and groups are synchronized, the existing api key+secret is merged into the user with the same name to prevent access issues after reconfigure. To avoid issues, make sure there's a unique username with proper credentials before using the synchronization.
What conditions are required to make this work?
Running OPNcentral on OPNsense 25.10.2_4-amd64 if I have an 'opncentral' user on the firewall being managed, and I generate an API for that user and use it to connect to the firewall from OPNcentral, as soon as I provision the managed firewall the API key either gets erased if there isn't one on the OPNcentral machine, or overwritten by the one on the OPNcentral machine if there is. That immediately breaks access to the managed device until I regenerate an API key and add it back in to OPNcentral.
It seems like this is not the intended behaviour, but I can't figure out what the settings need to be to make this work.
Can anyone enlighten me?
Thanks.