Authentication

Log in to your AKOS workspace, manage provider credentials, store secrets in the vault, and provision integration connections.

The CLI authenticates to your AKOS workspace via a device-code OAuth flow. Once logged in, provider credentials and secrets are managed separately through the creds, vault, secrets, and connections commands.

Logging in

agentskit-os auth login

This starts a device-code flow:

The CLI prints a verification URL and a short user code.
Open the URL in a browser and enter the code.
After approval, the CLI saves your session token locally and prints Logged in as <userId>.

Flag	Description
`--scope <scope>`	OAuth scope (default: `cli`)
`--client-id <id>`	Override the OAuth client ID

CI environments

If the environment variable AGENTSKIT_TOKEN is already set, auth login exits immediately with a success message. Use this for non-interactive pipelines.

Checking your session

agentskit-os auth whoami

Prints Logged in as <userId> on tenant <tenantId> and confirms the workspace is reachable. Add --json for machine-readable output.

Logging out

agentskit-os auth logout

Clears the locally stored session token. Safe to call when no session exists (idempotent).

Managing provider credentials

The creds command lists, verifies, and stores the API keys required by AI providers and integrations. Values are never printed.

List known providers

agentskit-os creds list

Shows each provider, its kind, and the vault keys it requires.

Filter by kind or provider:

agentskit-os creds list --kind llm
agentskit-os creds list --provider anthropic

Output as JSON:

agentskit-os creds list --json

Check credential presence

agentskit-os creds check

Scans the environment (and optionally a secrets file) for each required key. Exits with code 0 when all keys are present, code 7 when any are missing.

# Check against a local dotenv-style file (key names only — values never shown)
agentskit-os creds check --secrets-file .env.local
 
# Skip cloud providers (air-gapped workspace)
agentskit-os creds check --air-gap
 
# Restrict to a specific provider
agentskit-os creds check --provider openai

Set a credential

agentskit-os creds set

Interactive guided flow for storing a credential. Follows the same vault backend as vault put.

Onboarding guide

Print the full credential onboarding playbook:

agentskit-os creds guide

Vault: workspace secrets

The vault command reads and writes secrets in the workspace vault. Secret values are never printed — only key names and their source are shown.

Store a secret

agentskit-os vault put OPENAI_API_KEY sk-...

Scope the secret to a tenant instead of the workspace:

agentskit-os vault put STRIPE_SECRET_KEY sk_live_... --scope tenant

Scopes: workspace (default), tenant.

List stored secrets

agentskit-os vault list

Shows key names and their source (e.g. os-keychain). Add --json for machine-readable output.

Secrets: headless provisioning

The secrets command is a headless alternative to vault, operating through the running workspace sidecar. Use it when scripting in environments where the sidecar is already running.

# Store a secret
agentskit-os secrets set GITHUB_TOKEN ghp_...
 
# List stored keys (values hidden)
agentskit-os secrets list
 
# Filter output as JSON
agentskit-os secrets list --json

Scope options (--scope workspace|tenant) work the same as vault put.

Integration connections

Integration connections link your workspace to external services (Slack, GitHub, Stripe, and others). Authentication always references a vault key — never a plaintext token.

Provision a connection

First, store the credential in the vault:

agentskit-os vault put SLACK_BOT_TOKEN xoxb-...

Then create the connection, referencing the vault key:

agentskit-os connections set \
  --id slack-main \
  --kind slack \
  --label "Main Slack workspace" \
  --secret-id SLACK_BOT_TOKEN

For integrations that require no auth:

agentskit-os connections set \
  --id public-webhook \
  --kind webhook \
  --label "Inbound webhook" \
  --no-auth

Supported kinds: slack, github, linear, discord, email, cron, file, webhook, cdc, twilio, sentry, pagerduty, stripe, s3, mcp, llm.

List connections

agentskit-os connections list
 
# Filter by kind
agentskit-os connections list --kind slack
 
# JSON output
agentskit-os connections list --json

Inspect a connection

agentskit-os connections get slack-main

Remove a connection

agentskit-os connections rm slack-main

Removing a connection does not delete the underlying vault secret.

Authentication

On this page