Everything beyond the README quick start. Reference for authentication, commands, configuration, and agent integration.
| Mode | Use case | How |
|---|---|---|
| Passphrase | Human admin, interactive | Prompted at runtime |
| Keyfile | Automation, headless | --keyfile or AUTHY_KEYFILE env var |
| Session token | Agent access, scoped | --token or AUTHY_TOKEN (requires keyfile too) |
Session tokens are read-only — agents cannot store, remove, or modify secrets or policies.
Run-only restricts agents to safe commands and blocks sensitive ones that expose secret values directly.
| Command | Classification | Run-only allowed? |
|---|---|---|
authy run |
Safe — injects into subprocess | Yes |
authy resolve |
Safe — writes to file/stdout | Yes |
authy list |
Safe — names only, no values | Yes |
authy get |
Sensitive — exposes value | No (exit 4) |
authy env |
Sensitive — exposes values | No (exit 4) |
authy export |
Sensitive — exposes values | No (exit 4) |
Run-only can be set at either level — either one triggers the restriction:
# Token-level
authy session create --scope my-scope --ttl 1h --run-only
# Policy-level
authy policy create agent-scope --allow "*" --run-only
# Toggle on existing policy
authy policy update agent-scope --run-only trueWhen stdin is not a TTY (CI/CD, agent scripts), authy fails fast instead of prompting. Set credentials via environment:
export AUTHY_KEYFILE=~/.authy/keys/master.key
# or: export AUTHY_PASSPHRASE=...
# or: export AUTHY_TOKEN=... (with AUTHY_KEYFILE)Set AUTHY_NON_INTERACTIVE=1 to force non-interactive mode even with a TTY.
authy store <name> # reads value from stdin, Ctrl+D to finish
authy get <name> # output value to stdout
authy list [--scope <s>] [--json] # list secret names
authy remove <name> # delete a secret
authy rotate <name> # update value, bumps versionOutput secrets as environment variables in different formats:
# Shell format (sourceable)
eval "$(authy env --scope agent --format shell --uppercase --replace-dash '_')"
# Dotenv format
authy env --scope agent --format dotenv > .env
# JSON format
authy env --scope agent --format json | jq .Options:
--format shell|dotenv|json— output format (default: shell)--uppercase— transform names to UPPER_CASE--replace-dash <char>— replace-in names (e.g.,_)--no-export— omitexportprefix in shell format
# Import from .env files
authy import .env # transforms UPPER_SNAKE to lower-kebab
authy import .env --keep-names # preserve original names
authy import .env --force # overwrite existing secrets
authy import .env --prefix api # prefix all names with "api-"
authy import .env --dry-run # preview without writing
authy import - # read from stdin
# Export
authy export --format env [--scope <s>]
authy export --format jsonauthy policy create <name> --allow "db-*" --deny "prod-*"
authy policy create <name> --allow "*" --run-only
authy policy show <name>
authy policy update <name> --run-only true
authy policy list [--json]
authy policy remove <name>
authy policy test --scope <s> <name> # test if scope can access a secretPolicy evaluation: deny overrides allow, default deny.
authy session create --scope <policy> --ttl <duration> [--run-only]
authy session list [--json]
authy session revoke <id>
authy session revoke-allToken format: authy_v1.<base64> — scannable prefix for leak detection.
authy run [--scope <s>] [--uppercase] [--replace-dash <c>] -- <command> [args...]Secrets matching the scope are injected as environment variables into the child process. The parent process (agent) never sees them.
authy resolve <file> [--scope <s>] [--output <path>]Replaces <authy:key-name> placeholders in a file with secret values. Safe for run-only mode — the resolved output goes to a file or stdout, never returned as a raw value.
# Resolve config template to stdout
authy resolve config.yaml.tpl --scope deploy
# Resolve to a file
authy resolve config.yaml.tpl --scope deploy --output config.yamlauthy rekey [--generate-keyfile <path>] [--new-keyfile <path>] [--to-passphrase]Re-encrypts the vault with new credentials. Requires master key authentication (tokens cannot rekey). All existing session tokens are invalidated after rekey.
# Switch from passphrase to keyfile
authy rekey --generate-keyfile ~/.authy/keys/new.key
# Switch to an existing keyfile
authy rekey --new-keyfile ~/.authy/keys/other.key
# Switch from keyfile to passphrase
authy rekey --to-passphraseauthy audit show [--json] # show log entries
authy audit verify # verify HMAC chain integrity
authy audit export # export as JSONauthy project-info # show .authy.toml config
authy alias [scope] [tools...] # generate shell aliases
authy hook <shell> # output shell hook codeauthy admin [--keyfile <path>] # launch TUI
authy config show # show configurationAuto-discovered from current directory upward. Makes --scope optional on run, env, export:
[authy]
scope = "my-project"
keyfile = "~/.authy/keys/master.key"
uppercase = true
replace_dash = "_"
aliases = ["claude", "aider"] # tools to generate aliases forAuto-activate project config on cd (like direnv):
eval "$(authy hook bash)" # add to ~/.bashrc
eval "$(authy hook zsh)" # add to ~/.zshrc
authy hook fish | source # add to ~/.config/fish/config.fishGenerate aliases that wrap tools with authy run:
authy alias --from-project # uses .authy.toml aliases list
authy alias my-scope claude aider # explicit scope and tools~/.authy/
vault.age Encrypted vault (secrets + policies + sessions)
audit.log Append-only audit log (JSONL)
authy.toml Configuration (optional)
keys/
master.key age identity (private key)
| Code | Meaning |
|---|---|
| 0 | Success |
| 1 | General error |
| 2 | Authentication failed |
| 3 | Not found (secret, policy, session) |
| 4 | Access denied / run-only restriction |
| 5 | Vault error (corrupt, missing) |
| 6 | Token invalid, expired, or revoked |
| 7 | Subprocess error |
All read commands support --json. Errors with --json emit to stderr:
{"error": {"code": "access_denied", "message": "Run-only mode", "exit_code": 4}}Install the skill for AI coding agents:
npx skills add eric8810/authy # Agent Skills standard
clawhub install eric8810/authy # ClawHub
cp -r skills/authy ~/.claude/skills/ # Manual (Claude Code)The skill teaches agents only authy run and authy list — agents never learn commands that expose values.