API keys
Scripto CLI keys — the scripto_ Bearer prefix, long-lived by default, named and revocable, with a surfaced last-used timestamp and an optional expiry.
The CLI authenticates with a scripto_ API key, sent as Authorization: Bearer scripto_…. Better Auth’s apiKey plugin owns these keys; a key’s owner is its referenceId (your user id).
Key policy
| Property | Behaviour |
|---|---|
| Prefix | Every CLI key starts with scripto_. |
| Lifetime | Long-lived by default — no forced expiry. An agent can’t easily re-authenticate mid-run, so keys persist. |
| Named | Every key has a human-readable name (defaults to scripto-cli for OTP-minted keys). |
| Revocable | Any key can be revoked from web Settings → API keys or via DELETE /api/keys/[id]. |
| Last-used surfaced | A last-used timestamp is shown so a stale key is visible and killable. |
| Optional expiry | Minting offers an optional expiry for users who want one. |
The security weight for the public surface is carried by the OAuth path’s short-lived access tokens and a rate limit on the open mint endpoint — not by forcing CLI key rotation. A CLI key being long-lived is a deliberate ergonomic choice for agents.
How a key is minted
Over OTP (no browser)
scripto auth login-complete --email … --code … verifies the code and mints a key bound to your user. The raw key is returned once and stored in your active profile.
From web Settings
Create a named key in Settings → API keys, copy it once, and store it with scripto config set --api-key scripto_....
The raw value is shown once
A key’s raw secret is returned only at creation — by login-complete, or by POST /api/keys. It is never retrievable again. Listing keys (GET /api/keys) returns metadata only (id, name, prefix, start, timestamps), never the secret.
Where keys live locally
The CLI stores keys as profiles in ~/.config/scripto/config.json (mode 0600). One key per profile; the active profile is used unless you pass --profile or --api-key. See Configuration.
Revoking
# Web: Settings → API keys → revoke.
# HTTP:
curl -sS -X DELETE https://scripto.codika.io/api/keys/<keyId> \
-H "Authorization: Bearer $SCRIPTO_API_KEY"Revocation is immediate; a revoked key fails the next request with unauthenticated.
Next
- Configuration — profiles, env vars, the resolution chain.
- Authentication — the Bearer header on the HTTP API.
- Key endpoints — list, create, revoke.