Documentation Index
Fetch the complete documentation index at: https://docs.crewship.ai/llms.txt
Use this file to discover all available pages before exploring further.
crewship credential
Manage credentials (API keys, tokens, secrets) used by AI agents.
crewship credential <subcommand> [flags]
crewship cred
Subcommands
| Command | Description |
|---|
list | List all credentials in the workspace |
get | Show credential details (value is never displayed) |
create | Create a credential |
update | Update a credential |
delete | Delete a credential |
assign | Assign a credential to an agent |
unassign | Remove a credential from an agent |
test | Test a credential value before saving |
test-stored | Test an already-saved credential against the provider API |
rotate | Rotate a credential value with a grace-overlap window |
rotations | List rotation history for a credential |
rotation-cancel | End an ACTIVE rotation’s grace window early |
audit | Show audit timeline (USE / ROTATE / TEST / REVOKE) |
default-env-var | Print the conventional env var name for a provider |
crewship credential list
List all credentials in the workspace.
Output columns: ID, NAME, TYPE, PROVIDER, STATUS, AGENTS
crewship credential get
Show credential details. The credential value is never displayed.
crewship credential get <name-or-id>
crewship credential create
Create a new credential. The value is validated against the provider API before saving.
crewship credential create --name anthropic-key --type API_KEY --provider ANTHROPIC --value sk-ant-...
crewship credential create --name github-token --type SECRET --provider GITHUB --value-stdin
| Flag | Type | Default | Description |
|---|
--name | string | (required) | Credential name. |
--type | string | (required) | Type: SECRET, API_KEY, AI_CLI_TOKEN, or CLI_TOKEN. |
--provider | string | | Provider: ANTHROPIC, OPENAI, GOOGLE, GITHUB, GITLAB, VERCEL, AWS, CUSTOM_CLI, NONE. All providers except NONE trigger live API validation of the credential against the provider’s authentication endpoint; NONE skips validation entirely (use for opaque secrets that don’t map to a known provider). |
--value | string | | Credential value. Visible in process list — prefer --value-stdin. |
--value-stdin | bool | false | Read value from stdin (secure, no process list exposure). |
--env-var-name | string | | Environment variable name. |
--security-level | int | 0 | Keeper security level: 0 (none), 1 (low), 2 (medium), 3 (sensitive). |
Using --value exposes the credential in the process list. Use --value-stdin for secure input:echo "sk-ant-..." | crewship credential create --name anthropic-key --type API_KEY --provider ANTHROPIC --value-stdin
Credential values are validated against the provider API automatically. If validation fails, you are prompted to confirm saving. OAuth tokens (sk-ant-oat*) and SECRET type credentials skip validation.
crewship credential update
Update a credential. Only changed flags are sent.
crewship credential update <name-or-id> --value new-key-value
crewship credential update anthropic-key --value-stdin
| Flag | Type | Default | Description |
|---|
--name | string | | New credential name. |
--value | string | | New credential value. |
--value-stdin | bool | false | Read new value from stdin. |
--security-level | int | 0 | Keeper security level: 0-3. |
crewship credential delete
Delete a credential. Prompts for confirmation.
crewship credential delete <name-or-id>
crewship credential delete anthropic-key --yes
| Flag | Short | Type | Default | Description |
|---|
--yes | -y | bool | false | Skip confirmation prompt. |
crewship credential assign
Assign a credential to an agent. The credential is injected as an environment variable into the agent’s container.
crewship credential assign <name-or-id> <agent-slug> --env-var-name ANTHROPIC_API_KEY
| Flag | Type | Default | Description |
|---|
--env-var-name | string | (required) | Environment variable name (e.g., ANTHROPIC_API_KEY). |
--priority | int | 0 | Priority (1-10). |
crewship credential unassign
Remove a credential from an agent.
crewship credential unassign <name-or-id> <agent-slug>
crewship credential test
Test a credential value against the provider API without saving it.
crewship credential test --provider ANTHROPIC --value sk-ant-...
crewship credential test --provider OPENAI --type API_KEY --value-stdin
| Flag | Type | Default | Description |
|---|
--provider | string | (required unless SECRET) | Provider: ANTHROPIC, OPENAI, GOOGLE, GITHUB, GITLAB, VERCEL, AWS, CUSTOM_CLI. |
--type | string | | Type: API_KEY, AI_CLI_TOKEN, SECRET, CLI_TOKEN. |
--value | string | | Credential value to test. |
--value-stdin | bool | false | Read value from stdin. |
crewship credential test-stored
Re-test an already-saved credential against the provider API without re-supplying the value. Useful for verifying that a rotated key still works, or that a long-lived token has not been revoked upstream.
crewship credential test-stored <name-or-id>
valid: true; otherwise the error message from the provider is printed.
crewship credential rotate
Issue a new value for the credential. The old value is preserved on the rotation row for --grace-seconds (default 24h, max 7d) so in-flight agents that cached the old key can still fall back during their run, then the old value is scrubbed.
crewship credential rotate gh-token --value sk_new_... --yes
echo "$NEW" | crewship credential rotate gh-token --value-stdin
crewship credential rotate gh-token --value-stdin --grace-seconds 0 # immediate cutover
| Flag | Type | Default | Description |
|---|
--value | string | | New value (visible in ps — prefer --value-stdin). |
--value-stdin | bool | false | Read new value from stdin. |
--grace-seconds | int | 86400 | Overlap window before the old value is scrubbed. Max 604800 (7 days). |
--yes | bool | false | Skip confirmation. |
crewship credential rotations
List rotation history for a credential.
crewship credential rotations <name-or-id>
crewship credential rotation-cancel
End an ACTIVE rotation’s grace window immediately and scrub the old value. EXPIRED / CANCELLED rotations are no-ops on the server side (idempotent 200).
crewship credential rotation-cancel <rotation-id>
crewship credential rotation-cancel rot_abc123 --yes
| Flag | Short | Type | Default | Description |
|---|
--yes | -y | bool | false | Skip confirmation prompt. |
crewship credential audit
Show the full credential timeline — the same view the detail Sheet’s Audit tab uses. Useful for grep-ing for ROTATE / TEST / REVOKE events without scraping the UI.
crewship credential audit <name-or-id>
crewship credential audit anthropic-key --limit 200
| Flag | Type | Default | Description |
|---|
--limit | int | 100 | Number of entries to return. Range: 1–500. |
crewship credential default-env-var
Print the conventional env var name for a provider (GH_TOKEN, GITLAB_TOKEN, VERCEL_TOKEN, …). Useful when scripting credential assign and you don’t want to memorise every provider’s convention.
crewship credential default-env-var --provider GITHUB
crewship credential default-env-var --provider GITLAB
| Flag | Type | Default | Description |
|---|
--provider | string | (required) | Provider name. |
