Rancher 2.2 custom nodes, rancher-agent token & security

Hi-

We have a question about Rancher from a security standpoint. When Rancher 2.x custom nodes are deployed there is a docker command we copy/paste which includes a --token value. What is that token, and what level of access does it have to the host Rancher system?

I assume the node from there on out uses that token to send informative updates to the Rancher system? Is it limited to only updating information about that specific node, or can it (in theory) be used to update info on other nodes in the same cluster, and of course I doubt it could access the rancher API in reference to any other clusters besides its own?

(this is more of a question from our firewall maintainers as to why the custom RKE nodes need access back to port 443 of the rancher server)

Also if you don’t mind, could you point me to the right documentation or code files (I am versed in Golang) where I can see the API schema that nodes use when reporting back to the Rancher server?