Thanks! One time provisioning token helps node to connect and get a host certificate signed by the right CA key. All further authentication happens using OpenSSH host certificates. This also means that new nodes can simply join the cluster as long as they have the right certs, not using provisioning tokens at all. This allows you to have an external authority bootstrapping new nodes without talking to existing auth server.