> ## Documentation Index
> Fetch the complete documentation index at: https://docs.crewship.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Credential Commands

> Manage encrypted credentials, assign them to agents, and validate API keys.

# crewship credential

Manage credentials (API keys, tokens, secrets) used by AI agents.

```bash theme={null}
crewship credential <subcommand> [flags]
```

**Alias:** `crewship cred`

## Subcommands

| Command           | Description                                               |
| ----------------- | --------------------------------------------------------- |
| `list`            | List all credentials in the workspace                     |
| `get`             | Show credential details (value is never displayed)        |
| `create`          | Create a credential                                       |
| `update`          | Update a credential                                       |
| `delete`          | Delete a credential                                       |
| `assign`          | Assign a credential to an agent                           |
| `unassign`        | Remove a credential from an agent                         |
| `test`            | Test a credential value before saving                     |
| `test-stored`     | Test an already-saved credential against the provider API |
| `rotate`          | Rotate a credential value with a grace-overlap window     |
| `rotations`       | List rotation history for a credential                    |
| `rotation-cancel` | End an ACTIVE rotation's grace window early               |
| `audit`           | Show audit timeline (USE / ROTATE / TEST / REVOKE)        |
| `default-env-var` | Print the conventional env var name for a provider        |

***

## `crewship credential list`

List all credentials in the workspace.

```bash theme={null}
crewship credential list
```

**Output columns:** ID, NAME, TYPE, PROVIDER, STATUS, AGENTS

***

## `crewship credential get`

Show credential details. The credential value is never displayed.

```bash theme={null}
crewship credential get <name-or-id>
```

**Output fields:** ID, Name, Type, Provider, Status, Scope, Created.

***

## `crewship credential create`

Create a new credential. The value is validated against the provider API before saving.

```bash theme={null}
crewship credential create --name anthropic-key --type API_KEY --provider ANTHROPIC --value sk-ant-...
crewship credential create --name github-token --type SECRET --provider GITHUB --value-stdin
```

| Flag               | Type     | Default      | Description                                                                                                                                                                                                                                                                                                                   |
| ------------------ | -------- | ------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `--name`           | `string` | *(required)* | Credential name.                                                                                                                                                                                                                                                                                                              |
| `--type`           | `string` | *(required)* | Type: `SECRET`, `API_KEY`, `AI_CLI_TOKEN`, or `CLI_TOKEN`.                                                                                                                                                                                                                                                                    |
| `--provider`       | `string` |              | Provider: `ANTHROPIC`, `OPENAI`, `GOOGLE`, `GITHUB`, `GITLAB`, `VERCEL`, `AWS`, `CUSTOM_CLI`, `NONE`. All providers except `NONE` trigger live API validation of the credential against the provider's authentication endpoint; `NONE` skips validation entirely (use for opaque secrets that don't map to a known provider). |
| `--value`          | `string` |              | Credential value. Visible in process list -- prefer `--value-stdin`.                                                                                                                                                                                                                                                          |
| `--value-stdin`    | `bool`   | `false`      | Read value from stdin (secure, no process list exposure).                                                                                                                                                                                                                                                                     |
| `--env-var-name`   | `string` |              | Environment variable name.                                                                                                                                                                                                                                                                                                    |
| `--security-level` | `int`    | `0`          | Keeper security level: `0` (none), `1` (low), `2` (medium), `3` (sensitive).                                                                                                                                                                                                                                                  |

<Warning>
  Using `--value` exposes the credential in the process list. Use `--value-stdin` for secure input:

  ```bash theme={null}
  echo "sk-ant-..." | crewship credential create --name anthropic-key --type API_KEY --provider ANTHROPIC --value-stdin
  ```
</Warning>

<Note>
  Credential values are validated against the provider API automatically. If validation fails, you are prompted to confirm saving. OAuth tokens (`sk-ant-oat*`) and `SECRET` type credentials skip validation.
</Note>

***

## `crewship credential update`

Update a credential. Only changed flags are sent.

```bash theme={null}
crewship credential update <name-or-id> --value new-key-value
crewship credential update anthropic-key --value-stdin
```

| Flag               | Type     | Default | Description                     |
| ------------------ | -------- | ------- | ------------------------------- |
| `--name`           | `string` |         | New credential name.            |
| `--value`          | `string` |         | New credential value.           |
| `--value-stdin`    | `bool`   | `false` | Read new value from stdin.      |
| `--security-level` | `int`    | `0`     | Keeper security level: `0`-`3`. |

***

## `crewship credential delete`

Delete a credential.

```bash theme={null}
crewship credential delete <name-or-id>
crewship credential delete anthropic-key --yes
```

| Flag    | Short | Type   | Default | Description               |
| ------- | ----- | ------ | ------- | ------------------------- |
| `--yes` | `-y`  | `bool` | `false` | Skip confirmation prompt. |

<Warning>
  Agents that depend on this credential lose access immediately. Prompts for
  confirmation unless `--yes` is passed.
</Warning>

***

## `crewship credential assign`

Assign a credential to an agent. The credential is injected as an environment variable into the agent's container.

```bash theme={null}
crewship credential assign <name-or-id> <agent-slug> --env-var-name ANTHROPIC_API_KEY
```

| Flag             | Type     | Default      | Description                                            |
| ---------------- | -------- | ------------ | ------------------------------------------------------ |
| `--env-var-name` | `string` | *(required)* | Environment variable name (e.g., `ANTHROPIC_API_KEY`). |
| `--priority`     | `int`    | `0`          | Priority (1-10).                                       |

***

## `crewship credential unassign`

Remove a credential from an agent.

```bash theme={null}
crewship credential unassign <name-or-id> <agent-slug>
```

***

## `crewship credential test`

Test a credential value against the provider API without saving it.

```bash theme={null}
crewship credential test --provider ANTHROPIC --value sk-ant-...
crewship credential test --provider OPENAI --type API_KEY --value-stdin
```

| Flag            | Type     | Default                    | Description                                                                                   |
| --------------- | -------- | -------------------------- | --------------------------------------------------------------------------------------------- |
| `--provider`    | `string` | *(required unless SECRET)* | Provider: `ANTHROPIC`, `OPENAI`, `GOOGLE`, `GITHUB`, `GITLAB`, `VERCEL`, `AWS`, `CUSTOM_CLI`. |
| `--type`        | `string` |                            | Type: `API_KEY`, `AI_CLI_TOKEN`, `SECRET`, `CLI_TOKEN`.                                       |
| `--value`       | `string` |                            | Credential value to test.                                                                     |
| `--value-stdin` | `bool`   | `false`                    | Read value from stdin.                                                                        |

***

## `crewship credential test-stored`

Re-test an already-saved credential against the provider API without re-supplying the value. Useful for verifying that a rotated key still works, or that a long-lived token has not been revoked upstream.

```bash theme={null}
crewship credential test-stored <name-or-id>
```

Returns success if the live API call returns `valid: true`; otherwise the error message from the provider is printed.

***

## `crewship credential rotate`

Issue a new value for the credential. The old value is preserved on the rotation row for the grace window (max 7d) so in-flight agents that cached the old key can still fall back during their run, then the old value is scrubbed.

The cobra default for `--grace-seconds` is `0`, but the flag is only sent when you explicitly set it. **Omit the flag** and the server applies its standard 24h grace. **Pass `--grace-seconds 0`** to force an immediate cutover (no overlap). Pass any positive value (up to `604800` / 7d) to set a custom window.

```bash theme={null}
crewship credential rotate gh-token --value sk_new_... --yes
echo "$NEW" | crewship credential rotate gh-token --value-stdin
crewship credential rotate gh-token --value-stdin --grace-seconds 0  # immediate cutover
```

| Flag              | Type     | Default | Description                                                                                                                                                                                                                               |
| ----------------- | -------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `--value`         | `string` |         | New value (visible in `ps` — prefer `--value-stdin`).                                                                                                                                                                                     |
| `--value-stdin`   | `bool`   | `false` | Read new value from stdin.                                                                                                                                                                                                                |
| `--grace-seconds` | `int`    | `0`     | Overlap window (in seconds) before the old value is scrubbed. The cobra default is `0`, but the flag is only transmitted when set — omit it and the server applies a 24h grace; pass `0` for an immediate cutover. Max `604800` (7 days). |
| `--yes`           | `bool`   | `false` | Skip confirmation.                                                                                                                                                                                                                        |

***

## `crewship credential rotations`

List rotation history for a credential.

```bash theme={null}
crewship credential rotations <name-or-id>
```

**Output columns:** ID, STATUS, ROTATED\_AT, EXPIRES\_AT, GRACE\_S, OLD\_GONE, ROTATED\_BY.

***

## `crewship credential rotation-cancel`

End an `ACTIVE` rotation's grace window immediately and scrub the old value. `EXPIRED` / `CANCELLED` rotations are no-ops on the server side (idempotent 200).

<Warning>
  Scrubbing the old value ends the overlap window early — any in-flight agent
  still using the cached old key loses its fallback immediately.
</Warning>

```bash theme={null}
crewship credential rotation-cancel <rotation-id>
crewship credential rotation-cancel rot_abc123 --yes
```

| Flag    | Short | Type   | Default | Description               |
| ------- | ----- | ------ | ------- | ------------------------- |
| `--yes` | `-y`  | `bool` | `false` | Skip confirmation prompt. |

***

## `crewship credential audit`

Show the full credential timeline — the same view the detail Sheet's Audit tab uses. Useful for `grep`-ing for `ROTATE` / `TEST` / `REVOKE` events without scraping the UI.

```bash theme={null}
crewship credential audit <name-or-id>
crewship credential audit anthropic-key --limit 200
```

| Flag      | Type  | Default | Description                                |
| --------- | ----- | ------- | ------------------------------------------ |
| `--limit` | `int` | `100`   | Number of entries to return. Range: 1–500. |

***

## `crewship credential default-env-var`

Print the conventional env var name for a provider (`GH_TOKEN`, `GITLAB_TOKEN`, `VERCEL_TOKEN`, …). Useful when scripting `credential assign` and you don't want to memorise every provider's convention.

```bash theme={null}
crewship credential default-env-var --provider GITHUB
crewship credential default-env-var --provider GITLAB
```

| Flag         | Type     | Default      | Description    |
| ------------ | -------- | ------------ | -------------- |
| `--provider` | `string` | *(required)* | Provider name. |
