Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions .agents/skills/missing_docs/references/feature_surface_map.md
Original file line number Diff line number Diff line change
Expand Up @@ -204,6 +204,22 @@ oz provider -> src/content/docs/reference/cli/index.mdx
oz federate -> src/content/docs/reference/cli/federate.mdx
oz artifact -> src/content/docs/reference/cli/artifacts.mdx
oz api-key -> src/content/docs/reference/cli/api-keys.mdx

# Scheduled-agent CLI subcommands are fully documented in the scheduled-agents feature page.
oz schedule create -> src/content/docs/platform/triggers/scheduled-agents.mdx
oz schedule list -> src/content/docs/platform/triggers/scheduled-agents.mdx
oz schedule get -> src/content/docs/platform/triggers/scheduled-agents.mdx
oz schedule update -> src/content/docs/platform/triggers/scheduled-agents.mdx
oz schedule pause -> src/content/docs/platform/triggers/scheduled-agents.mdx
oz schedule unpause -> src/content/docs/platform/triggers/scheduled-agents.mdx
oz schedule delete -> src/content/docs/platform/triggers/scheduled-agents.mdx

# Warp-managed secret CLI subcommands are documented in the secrets feature page.
oz secret create -> src/content/docs/platform/secrets.mdx
oz secret list -> src/content/docs/platform/secrets.mdx
oz secret update -> src/content/docs/platform/secrets.mdx
oz secret delete -> src/content/docs/platform/secrets.mdx

# Internal/hidden command — not a user-facing surface, so no public docs.
oz harness-support -> internal

Expand Down
44 changes: 44 additions & 0 deletions src/content/docs/reference/cli/api-keys.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,50 @@ To delete an API key, find it in either the Oz web app or the Warp app's API Key

Deleted keys are immediately invalidated and cannot be recovered. Any services or scripts using the deleted key will lose access and may return an [`authentication_required` error](/reference/api-and-sdk/troubleshooting/errors/authentication-required/).

## Manage API keys from the CLI

In addition to the web and Warp app surfaces, you can manage API keys directly with the [Oz CLI](/reference/cli/). These commands are useful for scripting key rotation and for headless environments.

### List keys

`oz api-key list` prints your active API keys.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 [SUGGESTION] This wording can imply the command prints recoverable secret values. Say it prints metadata for active API keys to keep the CLI behavior aligned with the page's one-time-secret guidance.


* `--sort-by <FIELD>` — Sort by `name`, `created-at`, `last-used-at`, `expires-at`, or `scope`.
* `--sort-order <DIR>` — Sort direction: `asc` or `desc`.
* `--jq <FILTER>` — Filter the JSON output with a jq expression (for example, `--jq '.[].name'`).

```bash
oz api-key list --sort-by last-used-at --sort-order desc
```

### Create a key

`oz api-key create <NAME>` creates a key and prints the raw secret once. Store it securely — you can't retrieve it again.

* `<NAME>` — A name to identify the key (required).
* `--agent <UID>` — Create an agent key that runs as the given cloud agent, instead of a personal key.
* One expiration choice is required: `--expires-in <DURATION>` (for example, `30d`, `12h`, or `90m`), `--expires-at <RFC3339>` (an exact timestamp), or `--no-expiration`.
* `--jq <FILTER>` — Filter the JSON output with a jq expression.

```bash
# A personal key that expires in 30 days
oz api-key create "ci-pipeline" --expires-in 30d

# An agent key scoped to a cloud agent, with no expiration
oz api-key create "nightly-triage" --agent AGENT_UID --no-expiration

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 [SUGGESTION] [SECURITY] The primary agent-key example normalizes a non-expiring credential. Use --expires-in in the example and keep --no-expiration only in the option list.

```

### Expire a key

`oz api-key expire <NAME_OR_UID>` immediately invalidates a key (also available as `oz api-key delete`). Expired keys can't be recovered.

* `<NAME_OR_UID>` — The name or UID of the key to expire (required).
* `--force` — Skip the confirmation prompt.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ [IMPORTANT] oz api-key expire also flattens the shared JSON output options, so this section is missing the supported --jq <FILTER> flag. Add it here so the reference covers every flag for the command.


```bash
oz api-key expire "ci-pipeline" --force
```

## Best practices

* **Use personal keys for runs that should act as you.** When code changes should be attributed to your GitHub account, a personal key is the right choice. Use agent keys for automation that isn't tied to a specific user.
Expand Down
Loading