Thalassa BYOC Setup

This guide walks you through connecting your own Thalassa Cloud account to Mengi Cloud as a BYOC (“Bring Your Own Cloud”) credential. When you use BYOC, Mengi provisions and manages a Kubernetes cluster inside your own Thalassa Cloud organisation, billed directly by Thalassa. Mengi only charges a management fee instead of the full infrastructure cost.

You will:

Find your Organisation ID in the Thalassa Cloud Console.
Create a Personal Access Token (PAT).
Store the credential in Mengi Cloud and create a cluster.

The whole process is done in the Thalassa Cloud Console — no CLI required.

What Mengi creates in your organisation

When you provision a BYOC cluster, Mengi creates the following in your organisation:

Resource	Thalassa product
A VPC (`10.0.0.0/16`) and subnet	Networking
A route table and NAT gateway for outbound traffic	Networking
A managed Kubernetes cluster	Kubernetes
A node pool (with optional autoscaling)	Kubernetes

The cluster’s nodes, load balancers and volumes are created and billed in your organisation. You can delete everything at any time from the Mengi dashboard (which cleanly tears down the infrastructure) or from the Thalassa Cloud Console.

Required permissions

Mengi authenticates with a Personal Access Token (PAT) paired with your Organisation ID — sent as Authorization: Token <token>, with the Organisation ID scoping every call to that one organisation.

Credential	Why it’s needed
API Token (PAT)	Authenticates Mengi to the Thalassa API
Organisation ID	Scopes every call to your organisation (sent as the organisation identity)

The PAT carries its own scopes. For BYOC, give it API Write (read/write to the API, which covers the networking resources) and Kubernetes (clusters and node pools) — nothing else.

Why a PAT (not Access Credentials)? Thalassa offers two API-access methods: account-wide Personal Access Tokens and organisation-scoped Access Credentials (an access key + secret, which Thalassa marks “recommended”). Mengi’s integration uses the single-token Authorization: Token scheme, which is the PAT. Access Credentials are a key/secret pair and don’t fit that field today.

Isolation: A PAT is account-wide — the per-organisation scoping comes from the Organisation ID you give Mengi, not from the token. (Thalassa has no lightweight sub-division below the organisation, and creating a separate organisation requires full business registration — VAT / KvK — so Mengi runs in your existing organisation.)

Prerequisites

A Thalassa Cloud account with a valid payment method (cluster nodes incur Thalassa charges in your organisation).
Permission to create personal access tokens on your account.

Part 1 — Thalassa Cloud Console setup

1. Find your Organisation ID

Sign in to the Thalassa Cloud Console.
On the Dashboard, find the Organisation card on the right and copy the value under Identity — it looks like o-d65pcprjp56s73cvk140. (The same value is shown on the Organisation tab.) This is your Organisation ID.

2. Create a Personal Access Token

Mengi authenticates with a Personal Access Token (PAT) — a single token used as Authorization: Token <token>.

Open the account menu (top-right, your email) → API Access → Manage Personal Access Tokens → Create Personal Access Token.
Give it a Name (e.g. mengi-byoc) and select the scopes: API Write and Kubernetes. Optionally set an expiry (leave empty for none).
Create it and copy the token now — it is shown only once. This is your Token.

You now have the two values Mengi needs:

Value	Where it came from
Organisation ID	Dashboard → Organisation → Identity (`o-…`)
Token	The Personal Access Token (shown once)

CLI note. Thalassa Cloud does publish a CLI (linked in the console) and a Terraform provider, but they aren’t needed for BYOC — Mengi drives provisioning for you. You only need the PAT above.

Part 2 — Store the credential in Mengi Cloud

Sign in to the Mengi Cloud dashboard and open Cloud Credentials from the left-hand menu.
Click Add Credential.
Fill in the form:
- Credential Name — any label, e.g. thalassa-byoc.
- Cloud Provider — select Thalassa Cloud.
- Organisation ID — paste your Organisation ID.
- Token — paste your API token.
Click Add Credential.

The credential is stored encrypted and starts in Pending Validation. Mengi validates it by listing Kubernetes clusters in your organisation; once that succeeds the status turns to Ready. If it shows Invalid, re-check the token and that the Organisation ID is correct.

Part 3 — Create a BYOC cluster

Start a new cluster/deployment in the Mengi dashboard.
Choose Thalassa as the provider and select a region: nl-01 (Amsterdam).
Enable Use my own cloud account (BYOC) and select the thalassa-byoc credential.
Pick a cluster type — Dedicated (1 node) or Dedicated HA (3 nodes, with SLA) — and create the cluster.

Mengi provisions the VPC, NAT gateway, Kubernetes control plane and node pool in your organisation. The cluster moves through pending → provisioning → running. Deleting it from Mengi tears the infrastructure back down in your organisation.

BYOC is not available on the Development type — those are virtual clusters on Mengi’s own shared host infrastructure. Use Dedicated or Dedicated HA.

Rotating the API token

In the Thalassa Cloud Console, create a new API token (Part 1, Step 2).
In Mengi, edit the thalassa-byoc credential, paste the new token, then re-validate.
Once the new token is Ready, delete the old token in the console.

Revoking access

To cut Mengi off entirely, delete the API token in the Thalassa Cloud Console. Delete any running BYOC clusters from the Mengi dashboard first so the infrastructure is cleaned up — once the token is gone, Mengi can no longer tear those resources down for you.

Security notes

The API token is shown only once at creation — store it securely and never commit it to version control.
Mengi stores BYOC credentials encrypted, not in plaintext.
Rotate the token periodically.