Xaccel IoT — Customer Guide

👋

Welcome to Xaccel IoT

What this platform does and how it helps you

Xaccel IoT is a secure remote access and management platform for your IoT devices, servers, Raspberry Pis, industrial computers, and any Linux-based machine — no matter where in the world they are located.

Once you install a small agent on your device, it connects back to the Xaccel IoT platform over an encrypted tunnel. From that point on, you can access your device from any browser, anywhere, without needing to open firewall ports, configure VPNs, or know the device's IP address.

💻

Web Console

Open a full SSH terminal to any device directly in your browser — no SSH client needed.

🔗

SSH Tunnels

Forward any port on your device to your local machine — access web UIs, databases, and more.

📊

Live Monitoring

See CPU, memory, disk, and network stats in real time with historical charts.

🔔

Smart Alerts

Get notified by email when a device goes offline or a metric exceeds your threshold.

⚙️

Batch Jobs

Run commands or scripts across multiple devices at once — update, restart, deploy.

📁

File Upload

Push configuration files, scripts, or firmware updates to one or many devices.

ℹ️

Your plan determines your device limit

Depending on your subscription plan, you can connect a set number of devices. You can always upgrade your plan from the Billing page if you need more.

🔐

Logging In

How to access your portal

Your portal is accessed through a web browser. Your account administrator will have provided you with the portal URL, your email address, and a temporary password.

1

Open the portal URL

Navigate to your portal address in any modern browser (Chrome, Firefox, Edge, Safari). The URL will look like https://remoteiot.yourcompany.com.

2

Enter your credentials

Type your email address and password into the login form, then click Sign In.

3

Change your password (first login)

If this is your first time logging in, go to Settings → Change Password and set a strong personal password right away.

4

You're in!

You'll land on your Dashboard, which shows an overview of all your connected devices and recent activity.

⚠️

Forgot your password?

Click Forgot Password on the login page to receive a reset link by email. If you don't receive it within a few minutes, check your spam folder or contact your account administrator.

User Roles

Your account has one of the following roles, which determines what you can see and do:

Role	What You Can Do
Tenant Admin	Full access — manage devices, users, billing, and all settings for your account
User	Access devices assigned to you, use the console and tunnels, view monitoring
Read Only	View device status and monitoring data only — no console or tunnel access

🏠

Your Dashboard

Understanding the overview screen

The Dashboard is the first thing you see after logging in. It gives you an at-a-glance view of your entire device fleet.

remoteiot.yourcompany.com

12

Online

2

Offline

14

Total Devices

3

Active Alerts

📋 Recent activity feed — device connections, alerts, job completions...

🟢 Online count

Number of devices currently connected and reporting. Click to filter the device list to online devices only.

🔴 Offline count

Devices that have not checked in recently. Click to see which devices need attention.

📱 Total devices

All devices registered to your account, regardless of status.

🔔 Active alerts

Unresolved alert conditions (e.g. high CPU, device offline). Click to go to the Alerts page.

📋 Activity feed

A live log of recent events — device connections, disconnections, job completions, and alert triggers.

➕

Adding a Device

Register a new device and install the agent

To connect a device to Xaccel IoT, you need to do two things: register it in the portal to get a unique device token, then install the agent on the device itself using that token.

Step 1 — Register the device in the portal

1

Go to Devices

Click Devices in the left navigation menu.

2

Click "Add Device"

Click the + Add Device button in the top-right corner of the Devices page.

3

Fill in the device details

Enter a Device Name (e.g. "Factory Floor Pi #3"), an optional Description, and optionally assign it to a Group. Then click Create Device.

4

Copy your Device Token

After creating the device, you'll see a Device Token — a long string like tok_abc123.... Copy this — you'll need it in the next step. This token is shown only once.

💡

Where to find your Setup Key

Your Setup Key is in the portal under Settings → Setup Key. Unlike device tokens, the Setup Key is reusable — use the same key to install the agent on as many devices as you like. You can regenerate it at any time from Settings.

Step 2 — Install the agent on your device

SSH into your device (or use a local terminal) and run the one-line install command shown in your portal under Settings → Install Command. It looks like this — with your Setup Key and portal URL already filled in:

# One-line install — run this on your device (requires sudo)
# Replace YOUR_SETUP_KEY with the key from Settings → Setup Key
# Replace MyDevice with a name for this device (e.g. RaspberryPi-Kitchen)
curl -s 'https://YOUR_PORTAL_URL/api/install/install.sh?key=YOUR_SETUP_KEY&name=MyDevice' | sudo bash

💡

Naming your device

The ?name= part of the command sets the device name shown in your portal. Use something descriptive like RaspberryPi-Greenhouse, Ubuntu-Server-01, or FactoryFloor-PLC. You can also rename devices later from the portal.

The installer will automatically download the agent, install Node.js if needed, configure it with your Setup Key, and start it as a system service that automatically restarts on reboot.

What the agent does

What it does	Details
Connects to the portal	Opens an outbound WebSocket connection — no inbound ports needed
Reports system metrics	CPU, memory, disk, network — sent every 30 seconds
Handles SSH sessions	Proxies your browser console sessions securely
Manages tunnels	Opens port-forward tunnels on demand
Runs batch commands	Executes commands sent from the portal
Receives file uploads	Saves files pushed from the portal to the device

💡

Supported operating systems

The agent runs on any Linux system with Node.js 16+ or Bash. This includes Raspberry Pi OS, Ubuntu, Debian, CentOS, Fedora, most embedded Linux distributions, and Android via Termux.

Verify the connection

After installing the agent, go back to the Devices page in the portal. Within about 30 seconds, your device should appear with a ● Online status. If it shows as offline after a minute, see the Troubleshooting section.

📋

Managing Devices

View, search, filter, and organize your device fleet

The Devices page lists all devices registered to your account. You can search, filter by status or group, and click any device to open its detail panel.

🔍 Search bar

Type any part of a device name, description, or IP address to instantly filter the list.

🔽 Status filter

Filter to show only Online, Offline, or All devices.

🗂️ Group filter

Show only devices belonging to a specific group (e.g. "Production", "Lab", "Site A").

📄 Device card

Each device shows its name, status, last seen time, IP address, and quick-action buttons.

Device detail panel

Click on any device to open its detail panel on the right side of the screen. This panel has several tabs:

Tab	What you'll find
Overview	Device info, current metrics snapshot, last seen time, IP address, agent version
Console	Launch a live SSH terminal session in your browser
Tunnels	Create and manage port-forward tunnels to this device
Monitoring	Historical charts for CPU, memory, disk, and network
Jobs	Run a command on this device or view past job results
Files	Upload files to this device
Alerts	Configure alert rules specific to this device
Settings	Rename the device, change its group, regenerate its token, or delete it

Editing a device

1

Open the device

Click the device name or row in the Devices list to open its detail panel.

2

Go to the Settings tab

Click the Settings tab in the device detail panel.

3

Make your changes

Update the device name, description, or group assignment, then click Save Changes.

🗑️

Deleting a device

Deleting a device removes it from the portal permanently, including all its monitoring history and alert rules. The agent on the device will stop connecting. This action cannot be undone.

🟢

Device Status

Understanding what each status means

Status	Meaning	What to do
● Online	Device is connected and sending metrics	Nothing — all good!
● Offline	Device has not checked in for more than 2 minutes	Check power, network, and agent status on the device
● Warning	Device is online but has an active alert condition	Check the Alerts tab for details
● Never Seen	Device was registered but the agent has never connected	Install the agent on the device using the device token

ℹ️

Last seen time

Each device shows a "Last seen" timestamp. If a device shows as offline, this tells you exactly when it last checked in, which helps diagnose whether it's a recent outage or a long-standing issue.

💻

Web Console (SSH)

Access a full terminal on any device from your browser

The Web Console gives you a full, interactive SSH terminal session to any online device — directly in your browser. No SSH client, no keys to configure, no VPN required.

1

Open the device

Click on the device you want to access in the Devices list.

2

Click "Console" tab

In the device detail panel, click the Console tab.

3

Enter SSH credentials

Enter the SSH username (e.g. pi, ubuntu, root) and either a password or select a saved SSH key. Then click Connect.

4

Use the terminal

A full terminal opens in your browser. Type commands just like a regular SSH session. The terminal supports color output, interactive programs (like nano, htop, vim), and copy/paste.

5

Disconnect when done

Type exit or click the Disconnect button to close the session. Sessions also automatically close if you navigate away or close the browser tab.

Console tips

Action	How to do it
Copy text	Select text with your mouse — it copies automatically to clipboard
Paste text	Right-click in the terminal, or use `Ctrl+Shift+V`
Resize terminal	Drag the panel border — the terminal resizes automatically
Scroll up	Use your mouse wheel or trackpad to scroll through terminal history
Interrupt a command	Press `Ctrl+C` as normal
Run sudo	Works normally — enter the device's sudo password when prompted

💡

Save SSH keys for faster access

Instead of typing a password every time, add your SSH key in Settings → SSH Keys. You can then select it from the console login form for one-click access.

🔗

SSH Tunnels

Forward ports from your device to your local machine

SSH Tunnels let you access services running on your remote device as if they were running on your local computer. For example, you can access a web interface running on port 8080 of your device by opening http://localhost:8080 in your browser.

This is useful for accessing device dashboards, databases, APIs, or any other service that listens on a port — without exposing those ports to the internet.

Common use cases

🌐 Device web UI (port 80/443)

🗄️ Database (MySQL 3306, Postgres 5432)

📊 Grafana dashboard (port 3000)

🔧 Node-RED (port 1880)

📡 MQTT broker (port 1883)

🐳 Docker API (port 2375)

Creating a tunnel

1

Open the device and go to Tunnels tab

Click the device in the Devices list, then click the Tunnels tab.

2

Click "New Tunnel"

Click the + New Tunnel button.

3

Configure the tunnel

Enter a name for the tunnel (e.g. "Web UI"), the remote port on the device (e.g. 8080), and the local port you want to use on your computer (e.g. 8080). Click Create Tunnel.

4

Connect the tunnel

Click the Connect button next to the tunnel. The portal will give you an SSH command to run in your local terminal to establish the tunnel.

5

Access the service

Once the tunnel is active, open http://localhost:LOCAL_PORT in your browser (or connect your database client to localhost:LOCAL_PORT).

ℹ️

Tunnels require an SSH client on your local machine

Unlike the Web Console, SSH tunnels require you to run an SSH command in a terminal on your local computer. On macOS and Linux, SSH is built in. On Windows, use PowerShell, Windows Terminal, or install Git Bash.

🌐 HTTP Tunnel — Open device web UI in your browser

If your device runs a web interface (like a router admin page, Node-RED, Grafana, or a custom dashboard) on port 80 or 443, you can access it directly in your browser — no SSH command needed.

When you create a tunnel with remote port 80 or 443, the portal automatically opens the device's web UI in a new browser tab via a secure reverse proxy. The URL is authenticated with a short-lived token so only you can access it.

1

Create a tunnel with Remote Port 80 or 443

Click + New Tunnel, select your device, set Remote Port to 80 (or 443 for HTTPS), and click Create Tunnel.

2

Browser opens automatically

The portal immediately opens the device's web UI in a new tab. You'll see a HTTP badge on the tunnel in the list.

3

Re-open later with the 🌐 Open button

To open the proxy again later, click the 🌐 Open button next to the tunnel in the list.

🖥️ VNC Tunnel — View device desktop in your browser

If your device runs a VNC server (for a graphical desktop), you can view and control it directly in your browser — no VNC client app required. The portal includes a built-in VNC viewer powered by noVNC.

1

Create a tunnel with Remote Port 5900 or 5901

Click + New Tunnel, select your device, set Remote Port to 5900 (or 5901 for display :1), and click Create Tunnel.

2

VNC viewer opens automatically

The portal opens the built-in VNC viewer in a new tab. You'll see a VNC badge on the tunnel.

3

Use the viewer controls

The viewer toolbar includes: Fullscreen, Ctrl+Alt+Del (to send to the remote desktop), Clipboard (to paste text), and Scale options (Auto/100%/75%/50%).

4

Re-open later with the 🖥️ VNC button

To open the viewer again later, click the 🖥️ VNC button next to the tunnel in the list.

ℹ️

VNC server must be running on the device

The device needs a VNC server installed and running. Common options: tigervnc-standalone-server, x11vnc, or tightvncserver. Install via apt-get install tigervnc-standalone-server and start with vncserver :1.

🤖 VNC on Android — No Root Required (Auto-Install)

You can view and control an Android device’s screen in your browser using the VNC tunnel feature. The Xaccel IoT agent automatically installs DroidVNC-NG when it detects it is running on Android via Termux — no manual Play Store installation needed.

1

Install the agent via Termux

Open Termux on the Android device and run the install command from the portal’s Add Device → Android tab. The agent starts automatically and detects the Android environment.

2

Agent auto-installs DroidVNC-NG

On first run, the agent downloads and installs DroidVNC-NG automatically. It then launches the app. The portal Tunnels page shows a ⚠ No VNC badge while installation is in progress.

3

Tap Start in DroidVNC-NG

Open the DroidVNC-NG app and tap Start. This one-time step grants the screen capture permission. The portal shows a ⚠ VNC Stopped badge until the server is running on port 5900.

4

Create a VNC tunnel (port 5900)

Once the Android device is online and DroidVNC-NG is running, go to its Tunnels tab → + New Tunnel → Remote Port 5900. Click the 🖥️ VNC button to open the in-browser viewer.

💡

Performance tip

For the smoothest experience, keep the Android device on Wi-Fi and set DroidVNC-NG’s quality to Medium. Use Auto scale in the VNC viewer toolbar to fit the Android screen to your browser window.

🔒

Security: VNC is tunnel-only

The Xaccel IoT agent automatically secures DroidVNC-NG so it cannot be accessed directly from the internet or local network — only through your encrypted Xaccel tunnel:

Firewall: iptables rules block port 5900 on all network interfaces except loopback. Only tunnel connections (via 127.0.0.1) can reach VNC.
Password: A strong random password is generated automatically and set in DroidVNC-NG. You don’t need to set one manually.
Monitoring: If the firewall is inactive, the portal shows a red ⚠ VNC Exposed badge as a security alert.

If you see the ⚠ VNC Exposed badge, check that the agent is running and that your Android device supports iptables (some non-rooted devices may not). The VNC password still protects against unauthorized access.

🔑

SSH Keys

Save SSH keys for password-free device access

Instead of typing a password every time you open a console session, you can save your SSH private key in the portal. The key is stored securely and used automatically when you connect to devices.

Adding an SSH key

1

Go to Settings → SSH Keys

Click Settings in the left navigation, then click the SSH Keys tab.

2

Click "Add SSH Key"

Click the + Add SSH Key button.

3

Paste your private key

Give the key a name (e.g. "My MacBook Key"), then paste the contents of your private key file (e.g. ~/.ssh/id_rsa or ~/.ssh/id_ed25519). Click Save Key.

4

Use it in the console

When opening a console session, select your saved key from the Authentication dropdown instead of entering a password.

⚠️

Make sure your public key is on the device

For key-based authentication to work, your SSH public key must be added to the device's ~/.ssh/authorized_keys file. If you're not sure how to do this, use password authentication first, then add the key via the console.

Generating a new SSH key pair

If you don't have an SSH key yet, you can generate one on your local machine:

# Generate a new Ed25519 key (recommended)
ssh-keygen -t ed25519 -C "your@email.com"

# Your keys will be saved to:
#   Private key: ~/.ssh/id_ed25519   ← paste this into the portal
#   Public key:  ~/.ssh/id_ed25519.pub ← add this to your device

# Copy public key to a device (if you can reach it)
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@device-ip

📊

Live Monitoring

Real-time and historical metrics for all your devices

Xaccel IoT continuously collects system metrics from every connected device. You can view live data and historical charts to understand device health and performance over time.

Available metrics

Metric	What it measures	Update frequency
CPU Usage	Percentage of CPU being used across all cores	Every 30 seconds
Memory Usage	RAM used vs. total available, as a percentage	Every 30 seconds
Disk Usage	Storage used vs. total capacity on the main disk	Every 30 seconds
Network I/O	Bytes sent and received per second	Every 30 seconds
Load Average	System load over 1, 5, and 15 minutes	Every 30 seconds
Uptime	How long the device has been running since last reboot	Every 30 seconds

Viewing monitoring data

1

Open a device

Click on any online device in the Devices list.

2

Click the Monitoring tab

Click the Monitoring tab in the device detail panel.

3

Select a time range

Use the time range selector to view data for the last 1 hour, 6 hours, 24 hours, 7 days, or 30 days.

4

Hover for details

Hover over any point on a chart to see the exact value and timestamp for that data point.

💡

Fleet-wide monitoring

Click Monitoring in the left navigation (not inside a device) to see a summary view of all devices at once — great for spotting which devices are under stress.

🔔

Alerts & Notifications

Get notified when something needs your attention

Alerts automatically notify you by email when a device goes offline or when a metric (CPU, memory, disk) exceeds a threshold you define. You can set up alerts per device or globally for all devices.

Creating an alert rule

1

Go to Alerts

Click Alerts in the left navigation, or open a device and click its Alerts tab for a device-specific rule.

2

Click "New Alert Rule"

Click the + New Alert Rule button.

3

Configure the rule

Choose the device (or "All Devices"), the metric to watch, the condition (e.g. greater than), and the threshold value (e.g. 90 for 90% CPU). Set the notification email.

4

Save the rule

Click Save Rule. The rule is now active and will send an email when the condition is met.

Alert types

Alert Type	Triggers when…	Example use
Device Offline	Device stops checking in for more than 2 minutes	Know immediately when a device loses power or network
CPU High	CPU usage exceeds your threshold for a sustained period	Alert at 85% CPU to catch runaway processes
Memory High	RAM usage exceeds your threshold	Alert at 90% memory to prevent out-of-memory crashes
Disk Full	Disk usage exceeds your threshold	Alert at 80% disk to prevent log files filling the drive
Device Online	A previously offline device comes back online	Confirm a device has recovered after maintenance

ℹ️

Alert cooldown

To prevent alert spam, each rule has a cooldown period. Once an alert fires, it won't fire again for the same condition until the cooldown expires (default: 30 minutes). You can adjust this per rule.

⚙️

Batch Jobs

Run commands across multiple devices at once

Batch Jobs let you run a shell command or script on one or many devices simultaneously. This is ideal for software updates, configuration changes, service restarts, or any task you'd normally have to do device by device.

Running a batch job

1

Go to Batch Jobs

Click Batch Jobs in the left navigation.

2

Click "New Job"

Click the + New Job button.

3

Select target devices

Choose specific devices by name, or select an entire group (e.g. "All Production Devices"). You can also select all online devices.

4

Enter the command

Type the shell command to run. For example: apt-get update && apt-get upgrade -y or systemctl restart myapp.

5

Run the job

Click Run Job. The command is sent to all selected devices simultaneously. You can watch the output from each device in real time.

Example commands

# Update all packages
apt-get update && apt-get upgrade -y

# Restart a service
systemctl restart nginx

# Check disk space
df -h

# Check which processes are using the most CPU
ps aux --sort=-%cpu | head -10

# Reboot the device
reboot

# Pull latest code and restart app
cd /opt/myapp && git pull && pm2 restart myapp

⚠️

Be careful with destructive commands

Commands like reboot, rm -rf, or service restarts will execute immediately on all selected devices. Double-check your device selection before running. There is no undo.

Viewing job results

After a job runs, you can see the output from each device in the job results panel. Each device shows a ✓ Success or ✗ Failed status along with the full command output. Job history is saved so you can review past runs at any time.

📁

File Upload

Push files to one or many devices

The File Upload feature lets you push files from your computer to one or many remote devices. This is useful for deploying configuration files, scripts, firmware updates, certificates, or any other file your devices need.

1

Go to File Upload

Click File Upload in the left navigation, or open a device and click its Files tab for a single-device upload.

2

Select your file

Click Choose File and select the file from your computer. Files up to 100MB are supported.

3

Set the destination path

Enter the full path where the file should be saved on the device, e.g. /etc/myapp/config.json or /home/pi/scripts/update.sh.

4

Select target devices

Choose one device, multiple devices, or an entire group.

5

Upload

Click Upload to Devices. The file is transferred to all selected devices. You'll see a success or failure status for each device.

💡

Combine with Batch Jobs for powerful deployments

Upload a script file to your devices, then use a Batch Job to execute it. For example: upload /tmp/deploy.sh, then run bash /tmp/deploy.sh as a batch job.

👥

Team Members

Invite colleagues and manage access (Tenant Admins only)

If you are a Tenant Admin, you can invite other people to your account and control what they can access. Each person gets their own login and can be assigned a role that limits their permissions.

Inviting a team member

1

Go to Settings → Users

Click Settings in the left navigation, then click the Users tab.

2

Click "Invite User"

Click the + Invite User button.

3

Enter their details

Enter their name, email address, and select their role. Optionally set a temporary password for them.

4

Send the invite

Click Create User. They'll receive an email with login instructions (if SMTP is configured), or you can share the portal URL and their credentials directly.

Managing existing users

From the Users tab, you can change a user's role, reset their password, or remove them from your account. Removing a user immediately revokes their access — they will not be able to log in.

ℹ️

User limits by plan

Your subscription plan determines how many users you can have. If you need more users, upgrade your plan from the Billing page.

🗂️

Device Groups

Organize devices into logical groups

Groups let you organize your devices into logical categories — for example by location, function, customer, or environment. Once grouped, you can filter the device list, run batch jobs, and upload files to an entire group at once.

Creating a group

1

Go to Settings → Groups

Click Settings in the left navigation, then click the Groups tab.

2

Click "New Group"

Click the + New Group button, enter a name (e.g. "Production", "Lab", "Site A"), and click Create.

3

Assign devices to the group

Open each device's Settings tab and select the group from the Group dropdown, or assign the group when adding a new device.

Group examples

🏭 Production

🧪 Staging / Lab

📍 Site A / Site B

👤 Customer Name

🔧 Maintenance

🌡️ Sensors

🖥️ Servers

💳

Billing & Plans

Manage your subscription, payment method, and invoices

The Billing page lets you view your current plan, see your device usage, manage your payment method, and download invoices. Only Tenant Admins can access billing.

Accessing billing

Click Billing in the left navigation menu. You'll see your current plan, usage summary, and billing history.

Understanding your plan

What you'll see	What it means
Plan name	Your current subscription tier (e.g. Starter, Professional, Enterprise)
Billing cycle	Monthly or annual — when your next payment is due
Device usage	How many devices you've used vs. your plan's limit
Status	Active, Trial, Past Due, or Suspended
Next invoice	The date and amount of your next charge

Changing your plan

1

Go to Billing

Click Billing in the left navigation.

2

Click "Change Plan"

Click the Change Plan button in the Plan section.

3

Select a new plan

Browse the available plans and click Select on the one you want. Plan changes take effect immediately.

Updating your payment method

1

Go to Billing → Payment Method

Scroll down to the Payment Method section on the Billing page.

2

Click "Update Card"

Click the Update Card button (or Add Payment Method if none is saved).

3

Enter your card details

Enter your card number, expiry date, and CVV. Your card details are tokenized securely via Authorize.net — they are never stored on our servers.

4

Save

Click Save Payment Method. Your new card will be used for all future charges.

Invoices

All invoices are listed in the Invoice History section of the Billing page. Each invoice shows the date, amount, and status. You can click any invoice to view the full details or download it as a PDF. If an invoice is marked Failed, you can click Pay Now to retry the payment.

Subscription statuses

Status	Meaning	Action needed
Trial	You're in a free trial period	Add a payment method before the trial ends to avoid interruption
Active	Subscription is current and paid	None
Past Due	A payment failed — we'll retry automatically	Update your payment method or click Pay Now on the failed invoice
Suspended	Account suspended due to non-payment	Pay the outstanding invoice to restore access
Cancelled	Subscription has been cancelled	Subscribe to a new plan to regain access

ℹ️

Cancelling your subscription

You can cancel at any time from the Billing page by clicking Cancel Subscription. Your access continues until the end of the current billing period. After that, your account will be suspended and devices will stop connecting.

⚙️

Account Settings

Manage your profile, password, and preferences

Setting	Where to find it	What you can do
Profile	Settings → Profile	Update your name and email address
Password	Settings → Change Password	Change your login password
SSH Keys	Settings → SSH Keys	Add, view, or delete saved SSH keys
Users	Settings → Users	Invite, edit, or remove team members (Tenant Admin only)
Groups	Settings → Groups	Create and manage device groups (Tenant Admin only)
Notifications	Settings → Notifications	Set your preferred notification email address
Two-Factor Auth	Settings → Two-Factor Authentication	Enable or disable TOTP 2FA on your account (Tenant Admin only)

Changing your password

1

Go to Settings → Change Password

Click Settings in the left navigation, then click Change Password.

2

Enter your current and new password

Type your current password, then your new password twice to confirm.

3

Save

Click Update Password. You'll be logged out and need to sign in again with your new password.

💡

Use a strong password

We recommend a password of at least 12 characters with a mix of letters, numbers, and symbols. Consider using a password manager to generate and store it securely.

🔐 Two-Factor Authentication (2FA)

Two-factor authentication adds an extra layer of security to your account. Once enabled, you'll need both your password and a 6-digit code from an authenticator app to log in.

Setting up 2FA

1

Install an authenticator app

Download any TOTP authenticator app on your phone: Google Authenticator, Authy, Microsoft Authenticator, or 1Password.

2

Go to Settings → Two-Factor Authentication

Click Settings in the left navigation and scroll to the Two-Factor Authentication section. Click Set Up 2FA.

3

Scan the QR code

Open your authenticator app, tap Add account or the + button, and scan the QR code shown on screen. The app will add an Xaccel IoT entry.

4

Enter the 6-digit code to confirm

Type the current 6-digit code shown in your authenticator app into the confirmation field and click Enable 2FA. 2FA is now active on your account.

Logging in with 2FA

After entering your email and password, a second screen will appear asking for your 6-digit code. Open your authenticator app, find the Xaccel IoT entry, and enter the current code. Codes refresh every 30 seconds.

⚠️

Save your authenticator backup codes

If you lose access to your phone or authenticator app, you won't be able to log in. Make sure to back up your authenticator app or save the secret key shown during setup. Contact your administrator if you're locked out.

🐘

PostgreSQL Database

Production database setup, migration, backup and restore

Xaccel IoT uses PostgreSQL as its production database. PostgreSQL provides the reliability, performance, and scalability needed for large device fleets. SQLite is available for local development only.

For most users
If you installed using the install-ubuntu22.sh script, PostgreSQL was set up automatically. You do not need to do anything extra — just save the database password that was printed at the end of installation.

Automatic Installation

The install script automatically:

Installs PostgreSQL 16 from the official repository
Creates the xaccel_iot database and xaccel user
Generates a secure random password
Configures firewall rules to block external database access
Writes the connection string to your .env file

Connection Settings

Your database connection is configured in /opt/xaccel-iot/.env:

DB_DRIVER=postgres
DATABASE_URL=postgresql://xaccel:YOUR_PASSWORD@localhost:5432/xaccel_iot

Migrating from SQLite

If you have an existing Xaccel IoT installation using SQLite and want to move to PostgreSQL:

Set up PostgreSQL and update your .env with the DATABASE_URL

Run a dry-run first to check for issues:

DRY_RUN=true node migrate-sqlite-to-postgres.js

If the dry-run looks good, run the actual migration:
```
node migrate-sqlite-to-postgres.js
```
Restart the application: pm2 restart xaccel-iot

Back up your SQLite database before migrating
Copy your xaccel.db file to a safe location before running the migration. The migration does not delete the SQLite file, but it is good practice to keep a backup.

Backup & Restore

A backup script is installed automatically at /usr/local/bin/xaccel-db-backup. It creates a compressed PostgreSQL dump in /var/backups/xaccel-iot/.

Manual backup

/usr/local/bin/xaccel-db-backup

Restore from backup

gunzip -c /var/backups/xaccel-iot/xaccel_iot_YYYY-MM-DD.sql.gz | sudo -u postgres psql xaccel_iot

Automated daily backups

The install script sets up a daily cron job at 2:00 AM that runs the backup automatically and retains the last 7 days of backups.

Useful Database Commands

Task	Command
Open PostgreSQL console	`sudo -u postgres psql xaccel_iot`
Check database size	`SELECT pg_size_pretty(pg_database_size('xaccel_iot'));`
List all tables	`\dt` (inside psql console)
Check active connections	`SELECT count(*) FROM pg_stat_activity;`
Run schema migration	`cd /opt/xaccel-iot && node server/db-migrate.js`

Performance Tips

For fleets over 500 devices, increase max_connections in postgresql.conf
Enable pg_stat_statements to identify slow queries
Run VACUUM ANALYZE periodically on high-write tables like metrics_history and device_logs
Consider partitioning metrics_history by month for very large deployments

🛠️

Troubleshooting

Common issues and how to fix them

My device shows as Offline but it's powered on and connected to the internet

SSH into the device and check if the agent is running:

systemctl status xaccel-agent

If it's stopped, start it:

systemctl start xaccel-agent

If it's not installed, re-run the install command from the portal (Devices → your device → Settings → Install Command).

Also check that the device can reach the portal URL on port 443 (HTTPS/WSS). Firewalls that block outbound connections can prevent the agent from connecting.

The Web Console says "Connection failed" or won't open

This usually means one of the following:

The device is offline — check the device status first
The SSH username or password is incorrect — double-check your credentials
SSH is not running on the device — run systemctl status ssh on the device
The device's SSH is listening on a non-standard port — check /etc/ssh/sshd_config

I forgot my portal password

Click Forgot Password on the login page. Enter your email address and you'll receive a reset link. If you don't receive it within a few minutes, check your spam folder. If you still can't log in, contact your account administrator — they can reset your password from the Users settings page.

A batch job ran but shows "Failed" on some devices

Click on the failed job to see the full output from each device. Common reasons for failure include:

The command requires sudo but the user doesn't have sudo access
A package or file referenced in the command doesn't exist on that device
The device went offline during the job
A syntax error in the command

Test your command on a single device first using the Web Console before running it as a batch job.

My payment failed — what happens to my account?

When a payment fails, your account status changes to Past Due. We will automatically retry the payment. You can also go to Billing and click Pay Now on the failed invoice, or update your payment method and try again. If payment is not resolved within the grace period, your account will be suspended and devices will stop connecting. Paying the outstanding invoice immediately restores full access.

The agent installed successfully but the device never appeared in the portal

Check the agent logs on the device:

journalctl -u xaccel-agent -n 50

Look for error messages. Common issues:

Invalid token — the device token was entered incorrectly. Regenerate the token in the portal and reinstall.
Cannot connect to server — the device can't reach the portal URL. Check DNS and firewall rules.
SSL certificate error — the portal's SSL certificate may be self-signed. Contact your administrator.

I can't see the Billing page

The Billing page is only visible to users with the Tenant Admin role. If you need access to billing, ask your account administrator to upgrade your role.

How do I check the agent version on a device?

Open the device in the portal and look at the Overview tab — the agent version is shown there. You can also check on the device itself:

cat /opt/xaccel-agent/package.json | grep version

To update the agent to the latest version, run the install command again — it will update in place.

❓

Frequently Asked Questions

Quick answers to common questions

Do I need to open any firewall ports on my device?

No. The agent makes an outbound connection to the portal over HTTPS/WSS (port 443). You do not need to open any inbound ports on your device or router. This is one of the key advantages of Xaccel IoT.

Is my data secure?

Yes. All communication between the agent and the portal is encrypted using TLS (HTTPS/WSS). Console sessions are encrypted end-to-end. Your SSH credentials are never stored — they are used only for the duration of the session. Payment card details are tokenized by Authorize.net and never stored on our servers.

What happens if the portal goes down? Can I still access my devices?

The portal acts as a relay for connections. If the portal is unavailable, you won't be able to access devices through it. However, your devices themselves continue running normally — only the remote access capability is affected. Direct local access to your devices is always available.

Can I use Xaccel IoT on Windows devices?

The agent currently supports Linux-based systems. Windows support is on the roadmap. For Windows devices, you can use a Linux VM or WSL2 as a workaround.

How many devices can I connect?

The number of devices depends on your subscription plan. You can see your current limit and usage on the Billing page. If you need more devices, upgrade your plan — changes take effect immediately.

Can multiple users access the same device at the same time?

Yes. Multiple users can open separate console sessions to the same device simultaneously. Each session is independent.

How long is monitoring data kept?

Monitoring data is retained based on your plan. Typically, high-resolution data (30-second intervals) is kept for 7 days, and hourly averages are kept for 90 days. Check your plan details for exact retention periods.

Can I export my device data or monitoring history?

You can export monitoring data via the API. Contact support for help with bulk data exports.

What happens to my devices if I cancel my subscription?

Your access continues until the end of the current billing period. After that, your account is suspended and the agents on your devices will stop connecting to the portal. Your devices themselves continue to run normally — only the remote access is affected. If you resubscribe, your devices will reconnect automatically.

Can I run the agent on a Raspberry Pi?

Yes! Raspberry Pi is one of the most common platforms for Xaccel IoT. The agent runs on all Raspberry Pi models running Raspberry Pi OS (32-bit and 64-bit), as well as Ubuntu for Raspberry Pi.

Can I run the agent on an Android device?

Yes! Android devices are supported via Termux — a free Linux terminal app for Android. We have a dedicated Android installer that handles everything automatically:

Install Termux from F-Droid — use F-Droid, not the Play Store version (the Play Store version is outdated)

Open Termux and run this single command (replace with your Setup Key from Settings → Setup Key):

curl -s 'https://YOUR_PORTAL_URL/api/install/android.sh?key=YOUR_SETUP_KEY&name=MyAndroid' | bash

The installer automatically: installs Node.js, downloads the agent, starts it, and sets up auto-start via Termux:Boot
Your Android device appears in the portal within 30 seconds

After install, manage the agent with:

~/xaccel-agent/start.sh — Start the agent
~/xaccel-agent/stop.sh — Stop the agent
~/xaccel-agent/logs.sh — View live logs

Tip: Install Termux:Boot from F-Droid for auto-start on reboot (the installer sets this up automatically). Also disable battery optimization for Termux in Android Settings → Battery → Termux to keep the agent running in the background.

Can I see and control my Android device screen remotely?

Yes! You can view and control your Android screen remotely using scrcpy (free, open-source) combined with Xaccel IoT's port tunneling feature. No root is required.

How to set it up:

On your Android device, enable Developer Options (Settings → About Phone → tap Build Number 7 times)
Enable USB Debugging in Developer Options

In Termux, enable ADB over TCP:

setprop service.adb.tcp.port 5555
stop adbd && start adbd

In the Xaccel IoT portal, go to your Android device → Tunnels → Add Tunnel with Remote Port 5555, Local Port 5555, Protocol TCP
On your computer, install scrcpy (brew install scrcpy on Mac, winget install Genymobile.scrcpy on Windows)
Connect: adb connect localhost:5555 then scrcpy

A window opens showing your Android screen in real time. You can control it with your mouse and keyboard, drag-and-drop files, and even record the screen. See the full guide in the Documentation → Android GUI Access section.

🔄

OTA Firmware Updates

Deploy firmware and software to your devices over the air — with signing, staged rollouts, and automatic rollback

The OTA Updates feature lets you push firmware, scripts, and software packages to your devices without needing SSH access. Navigate to OTA Updates in the portal sidebar.

Uploading a Firmware Release

Click + New Release and fill in the details:

Release Name — e.g., "Firmware v2.1.0"
Version — semantic version like "2.1.0"
Package File — drag and drop your firmware file
Signing Key — select a signing key to cryptographically sign the package (Enterprise)
Description — release notes for your team

Supported file types: .sh scripts, .tar.gz tarballs, .deb packages, .rpm packages, .zip archives, and binary executables.

🔏 Signed OTA Packages

Enterprise accounts can cryptographically sign OTA packages using Ed25519 keys. Signed packages guarantee that only firmware you've approved can run on your devices — tampered or unsigned packages are automatically rejected by the agent.

Setting up signing keys

Go to OTA Updates → Signing Keys tab
Click Generate Key Pair — the server creates a private/public key pair
Give the key a label (e.g., "Production 2025")
When uploading a release, select this key — the package is signed automatically on upload

The agent verifies the signature before applying any update. If verification fails, the update is rejected and an error is reported back to the portal. The device is never modified.

💡 Why sign packages?
Without signing, anyone with access to your portal could push arbitrary code to your devices. Signed packages ensure only packages you've explicitly approved — with your private key — can be installed.

📊 Staged Rollouts

Instead of deploying to all devices at once, staged rollouts let you deploy to a small percentage first, monitor success, then automatically promote or roll back.

Configuring a staged rollout

When deploying a release, expand Staged Rollout Policy
Set Canary % — percentage of devices to deploy to first (e.g., 10%)
Set Success Threshold % — minimum success rate required to promote (e.g., 90%)
Choose Auto-Promote or Auto-Rollback:
- Auto-Promote — if canary succeeds, automatically deploy to remaining devices
- Auto-Rollback — if canary fails, automatically revert all affected devices

Scenario	What happens
Canary succeeds, auto-promote on	Deployment continues to 100% of devices automatically
Canary fails, auto-rollback on	All canary devices revert to previous firmware automatically
Canary fails, auto-rollback off	Deployment pauses — you decide manually whether to proceed or rollback

↩️ Rollback on Failure

The agent always keeps a copy of the previous firmware version before applying an update. If an update fails for any reason — download error, script error, signature mismatch — the agent automatically restores the previous version and reports the failure back to the portal.

You can also trigger a manual rollback at any time:

Go to OTA Updates and find the release
Click Jobs to see per-device status
Click Rollback next to any device to revert it to the previous version

⚠️ Important
Rollback restores the firmware that was running before the current update. If a device has never had a previous version (first-time deployment), rollback is not available.

Deploying an Update

Activate the release by clicking Activate (changes status from Draft to Active)
Click Deploy to open the deployment modal
Choose your target: All Devices, a Device Group, or specific devices
Optionally configure a Staged Rollout Policy
Click Deploy Now

Monitoring Progress

The OTA dashboard shows real-time progress for each release. Click Jobs on any release to see the per-device status:

pending — waiting to be picked up by the device
downloading — device is downloading the package
applying — device is installing the update
success — update applied successfully
failed — update failed, previous version restored automatically
rolled_back — device was reverted to previous firmware

The dashboard auto-refreshes every 30 seconds. You can also manually refresh with the ↻ button.

🔐

Single Sign-On (SSO)

Sign in with your organization’s identity provider

If your organization has configured SSO, you can sign in to Xaccel IoT using your company credentials — Google Workspace, Microsoft Azure AD, Okta, or any OIDC provider. No separate password needed.

Signing In with SSO

Go to the Xaccel IoT portal login page
Enter your work email address (e.g., you@yourcompany.com)
If your domain has SSO configured, a "Sign in with [Provider]" button will appear
Click the SSO button — you’ll be redirected to your company’s login page
Complete authentication with your company credentials
You’ll be redirected back to the Xaccel IoT portal, fully logged in

✅ First-time SSO users: Your Xaccel IoT account is created automatically on your first SSO login. You don’t need to register separately — just sign in with your company credentials.

For Administrators: Configuring SSO

SSO is configured per-tenant by an admin. Go to Settings → Single Sign-On (SSO):

Enable the SSO toggle
Select your identity provider (Google, Azure AD, Okta, or Generic OIDC)
Enter the Client ID and Client Secret from your IdP
Copy the Callback URL and register it in your IdP application settings
Click Test Connection to verify the IdP is reachable
Click Save SSO Config

Once saved, any user whose email domain matches your tenant will see the SSO button on the login page.

SSO Troubleshooting

SSO button not appearing — Make sure you’re entering your full work email (not a personal Gmail/Outlook). SSO is triggered by email domain.
"SSO not enabled for this tenant" — Contact your admin to configure SSO in Settings.
"Account suspended" — Your account has been suspended by an admin. Contact your administrator.
Redirected back with an error — The error message is shown on the login page. Common causes: expired SSO session (try again), misconfigured callback URL, or IdP access not granted.

⏰

Scheduled Batch Jobs

Run commands across your devices automatically on a schedule

Scheduled Jobs let you run any command across one device, a group, or all devices on a recurring schedule — without you having to be online. Think of it as a cron job that runs across your entire fleet.

Creating a Scheduled Job

Go to Jobs in the left navigation
Click the Scheduled tab
Click + New Schedule
Fill in the name, command, target (all devices, a group, or a specific device), and schedule
Use the cron builder or type a cron expression directly
Click Save

Cron Schedule Examples

Expression	Meaning
`0 2 * * *`	Every day at 2:00 AM
`0 * * * *`	Every hour
`/15 * * *`	Every 15 minutes
`0 9 * * 1`	Every Monday at 9:00 AM
`0 0 1 * *`	First day of every month

Targets

All devices — runs on every device in your account
Group — runs on all devices in a specific group
Single device — runs on one specific device

Viewing Results

Each scheduled job shows its Next Run, Last Run, and Last Status (success / failed / running). Click a job to see the full output of the last run. You'll also receive an alert notification when a scheduled job completes or fails.

💡 Common use cases
Nightly log rotation, daily health checks, weekly software updates, hourly config backups, periodic certificate renewals.

📋

Log Viewer

View, search, and export logs from all your devices in one place

The Log Viewer aggregates logs from all your devices into a single searchable interface. No more SSH-ing into each device to check logs — everything is in the portal.

Accessing the Log Viewer

Click Logs in the left navigation. You'll see a live stream of log entries from all online devices.

Filtering Logs

Device — filter to a specific device
Level — filter by severity: debug, info, warning, error, critical
Source — filter by log source: journald, syslog, or custom log files
Search — full-text search across all log messages
Time range — view logs from a specific time window

Live Tail

Toggle Live Tail to see new log entries appear in real time as they arrive from your devices — similar to tail -f but across your whole fleet.

Exporting Logs

Click Export to download the current filtered view as a CSV file. Useful for incident reports or compliance audits.

Log Sources

The agent automatically collects from journald (systemd logs) and syslog. You can configure additional custom log files in the agent config.

💡 Tip
Use the error level filter to quickly spot problems across your entire fleet without scrolling through thousands of info messages.

🎨

White-Label Branding

Make the portal look like your own product

Enterprise accounts can fully customise the portal with your company's logo, colours, and domain name. Your customers see your brand, not Xaccel.

Setting Up Branding

Go to Settings → White-Label Branding
Upload your logo (PNG or SVG recommended)
Upload your favicon (ICO or PNG, 32×32px)
Set your primary colour using the colour picker
Enter your company name (shown in the browser tab title)
Optionally add custom CSS for advanced styling
Click Save Branding

Custom Domain

To serve the portal from your own domain (e.g. portal.yourcompany.com):

Point your domain's DNS CNAME record to your Xaccel server IP
Enter the domain in the Custom Domain field in Branding settings
Your server admin updates the Nginx config and issues a TLS certificate

Live Preview

Click Preview to see your branding applied instantly without saving. This lets you experiment with colours and logos before committing.

💡 Tip
Branding is applied per-tenant. Each tenant on a multi-tenant deployment can have its own logo and colours.

🔗

SCIM User Provisioning

Automatically sync users from Okta, Azure AD, or Google Workspace

SCIM 2.0 lets your identity provider (IdP) automatically create, update, and deactivate user accounts in the portal. When you add someone to the right group in Okta or Azure AD, they get portal access automatically — and when you remove them, access is revoked immediately.

Setting Up SCIM

Go to Settings → SCIM Provisioning
Click + New Token to create a bearer token
Copy the token — it will only be shown once
Note the SCIM Base URL shown on the page
In your IdP, configure SCIM with:
- Base URL: the URL shown in the portal
- Authentication: Bearer token (paste the token you copied)

What Gets Synced

Action in IdP	Result in Portal
Assign user to app	User account created automatically
Update user name/email	Portal profile updated
Deactivate user	Portal access revoked immediately
Create group	Device group created in portal
Add user to group	User added to device group

Supported Identity Providers

Okta — use the SCIM 2.0 app template
Azure AD / Entra ID — use Enterprise Application → Provisioning
Google Workspace — use a custom SCIM connector
Any IdP supporting SCIM 2.0 (RFC 7644)

💡 Tip
You can create multiple SCIM tokens — one per IdP or integration. Revoke individual tokens without affecting others.

📊

Custom Metrics

Track any value from your devices with charts and threshold alerts

Beyond the built-in CPU, memory, and disk metrics, you can define your own custom metrics — anything your device can output from a shell command. Temperature sensors, queue depths, application counters, battery levels — if a script can print it, you can chart it.

Creating a Custom Metric

Go to Metrics in the left navigation
Click + New Metric
Enter a name and optional unit (e.g. °C, MB, req/s)
Write a shell collector command — a command that prints a single number
Set the collection interval (how often to run the command)
Optionally set a threshold alert (e.g. alert if value exceeds 80)
Click Save

Collector Command Examples

What to measure	Command
CPU temperature	`cat /sys/class/thermal/thermal_zone0/temp \| awk '{print $1/1000}'`
Free disk space (GB)	`df / \| awk 'NR==2{print $4/1048576}'`
Running processes	`ps aux \| wc -l`
Network errors	`cat /proc/net/dev \| awk '/eth0/{print $4}'`
App queue depth	`redis-cli llen myqueue`

Viewing Charts

The Metrics dashboard shows a time-series chart for each custom metric across all devices. You can filter by device, change the time range, and see threshold lines on the chart.

Threshold Alerts

Set a threshold value and operator (greater than, less than, equals). When a device's metric crosses the threshold, you receive an alert notification via email or push notification.

💡 Tip
Keep collector commands fast and lightweight — they run on the device on every interval. Avoid commands that take more than a second to complete.

⚡

Remote Power Control

Reboot or shut down devices from the portal without SSH

Remote Power Control lets you reboot or shut down any device directly from the portal — no SSH session required. This is especially useful when a device is unresponsive or you need to apply changes that require a restart.

Using Power Control

Open a device's detail page
Click the ⚡ Power button in the device header
Choose an action:
- Reboot — graceful restart via systemctl reboot
- Shutdown — graceful power off via systemctl poweroff
- Hard Reboot — immediate kernel-level reboot (use only if the device is unresponsive)
Optionally set a delay (0–300 seconds) before the action executes
Click Confirm

Power History

The Power Control card on the device detail page shows the last 10 power events — action taken, who triggered it, timestamp, and status.

⚠️ Hard Reboot warning
Hard Reboot uses a kernel-level sysrq trigger and does not gracefully unmount filesystems. Only use it when the device is completely unresponsive to normal reboot commands. Data loss is possible if the device is actively writing to disk.

Permissions

Power control requires the Admin role. Regular users cannot trigger power actions.

💬

Getting Support

How to get help when you need it

If you've checked this guide and the troubleshooting section and still need help, here's how to reach us:

📧

Email Support

Send a detailed description of your issue to support@xaccel.net. Include your account email, device name, and any error messages you see.

📋

Include in your request

Your account email, the device name, what you were trying to do, what happened instead, and any error messages or screenshots.

🔍

Agent logs

If a device isn't connecting, include the agent logs: journalctl -u xaccel-agent -n 100

💡

Response times

We aim to respond to all support requests within 1 business day. For urgent issues (account suspended, all devices offline), mark your email as URGENT in the subject line.

🌐

Xaccel IoT

Secure Remote IoT Access & Management

Customer Guide · Version 2.0 ·

📲

Zero-Touch Device Provisioning

Ship devices that register themselves automatically on first boot

💡 Perfect for large deployments
If you're shipping dozens or hundreds of identical devices, zero-touch provisioning eliminates the need to manually register each one. Flash once, ship, plug in — done.

How It Works

You bake a single provisioning token into your device image. When a device boots for the first time, the Xaccel agent automatically reads the device's MAC address, contacts your portal, and registers itself. The device appears in your portal within seconds — no SSH, no manual steps, no per-device configuration.

1

Create a provisioning token in the portal under Settings → Zero-Touch Provisioning. Optionally set a default device group so new devices are automatically organised.

2

Add the token to your base image. Create the file /etc/xaccel/agent/provision.conf on your master device:

SERVER_URL=https://portal.yourcompany.com
PROVISION_TOKEN=prov_abc123...

3

Clone and ship. Flash this image to all your devices. Each device has a unique MAC address — that's all the differentiation needed.

4

Devices self-register on first boot. The agent detects it hasn't been provisioned yet, calls the portal, and saves its unique credentials. It then connects normally. You'll see it appear in your device list automatically.

Managing Provisioning Tokens

Go to Settings → Zero-Touch Provisioning to manage your tokens.

Setting	What it does
Label	A friendly name for the token, e.g. "Factory Batch March 2025"
Default Group	New devices are automatically added to this group
Max Uses	Limit how many devices can register (0 = unlimited). Useful for batch tracking.
Expires At	Token stops working after this date — good for time-limited production runs
IP Allowlist	Only allow provisioning from specific IPs (e.g. your factory network)
Allow Re-provision	If a device is reflashed with the same MAC, rotate its credentials

Viewing Registered Devices

Each token shows a Devices button with a count. Click it to see all devices that registered using that token, including their MAC address, name, status, group, and registration date.

Security Tips

Set Max Uses to match your expected batch size — this limits damage if a token leaks
Use IP Allowlist to restrict provisioning to your factory network
Set an Expires At date so old tokens cannot be used after production ends
Revoke tokens immediately after a production run completes
The provisioning token is only needed once — after a device registers, it uses its own unique credentials

Keep your token secret
The provisioning token is baked into your device image. Treat it like a password — do not share images publicly, and revoke tokens when no longer needed.