Skip to main content
Aethis uses a single API key per identity. What the key can do is governed by its scopes — not by your account role. This page is the one place that explains the scope model, so a permission error is a lookup, not a surprise.

Do you even need a key?

No — not for evaluation. Public rulesets are discoverable, inspectable, and decidable anonymously:
You need a key for tenant projects, private rulesets, composed rulebooks, and all authoring commands (generate, publish, rulebooks create, …).

Sign in

aethis login runs a browser sign-in and caches a key locally. This is the whole of first-time setup:
aethis init runs the same flow for you the first time, so if you’re scaffolding a project you don’t need a separate login step.
No browser? For CI or a headless box, mint a key on a machine that does have a browser (aethis account generate, below), then set AETHIS_API_KEY on the headless host. aethis login needs a browser to complete the OAuth round-trip.

What login mints — and the scopes model

A key from aethis login (and from aethis account generate with no --scope) carries exactly these six scopes: That covers project + ruleset authoring end-to-end. It does not include rulebooks:read / rulebooks:write — see the trap below.

whoami — check before you hit a 403

aethis whoami prints the identity, tier, scopes, and — the useful part — whether authoring is available on this key:
Run this first whenever a command returns 403 denied_missing_permission — it tells you which scopes you’re actually carrying.

The rulebook trap (and the fix)

Because a login key omits rulebooks:*, the first aethis rulebooks create or aethis rulebooks activate on a fresh key fails:
This is not an account-level block — it’s a missing scope. Mint a rulebook-capable key with the full scope list. --scope/-s replaces the default set, so you must list every scope you want, not just the new one:
Then aethis whoami should show all eight scopes, and rulebook authoring works.

Rotating and adding keys

aethis account generate mints an additional key — for rotation, a second machine, or a narrower scope set. It does not revoke your existing key.

Multiple identities: profiles

If you switch between personas (e.g. an admin key and a dev key), store each as a named profile rather than swapping env vars:
Pass --profile anonymous to force unsigned mode for a single command.

Where a key is read from (precedence)

For any command, the key is resolved in this order — first hit wins:
  1. --api-key <key> on the command line
  2. AETHIS_API_KEY in the environment
  3. The active profile / cached credentials (keychain)
--base-url (or AETHIS_BASE_URL) selects the server the key is used against; it defaults to the active profile’s base_url, or https://api.aethis.ai.

CI and background jobs (non-interactive)

Automation must never hang on a prompt. Two ambient switches make every command non-interactive: Combine with --no-prompt to fail fast rather than fall back to a browser sign-in when no key is cached:

See also

  • CLI reference — every command, grouped.
  • Errorsdenied_missing_permission and other failure shapes.
  • REST API — passing the key as X-API-Key over HTTP.