Do you even need a key?
No — not for evaluation. Public rulesets are discoverable, inspectable, and decidable anonymously:generate, publish, rulebooks create, …).
Sign in
aethis login runs a browser sign-in and caches a key locally. This is the whole of
first-time setup:
aethis init runs the same flow for you the first time, so if you’re scaffolding a
project you don’t need a separate login step.
No browser? For CI or a headless box, mint a key on a machine that does have a
browser (
aethis account generate, below), then set AETHIS_API_KEY on the headless
host. aethis login needs a browser to complete the OAuth round-trip.What login mints — and the scopes model
A key from aethis login (and from aethis account generate with no --scope)
carries exactly these six scopes:
That covers project + ruleset authoring end-to-end. It does not include
rulebooks:read / rulebooks:write — see the trap below.
whoami — check before you hit a 403
aethis whoami prints the identity, tier, scopes, and — the useful part — whether
authoring is available on this key:
403 denied_missing_permission — it tells you
which scopes you’re actually carrying.
The rulebook trap (and the fix)
Because a login key omitsrulebooks:*, the first aethis rulebooks create or
aethis rulebooks activate on a fresh key fails:
--scope/-s replaces the default set, so you must list
every scope you want, not just the new one:
aethis whoami should show all eight scopes, and rulebook authoring works.
Rotating and adding keys
aethis account generate mints an additional key — for rotation, a second machine,
or a narrower scope set. It does not revoke your existing key.
Multiple identities: profiles
If you switch between personas (e.g. an admin key and a dev key), store each as a named profile rather than swapping env vars:--profile anonymous to force unsigned mode for a single command.
Where a key is read from (precedence)
For any command, the key is resolved in this order — first hit wins:--api-key <key>on the command lineAETHIS_API_KEYin the environment- The active profile / cached credentials (keychain)
--base-url (or AETHIS_BASE_URL) selects the server the key is used against; it
defaults to the active profile’s base_url, or https://api.aethis.ai.
CI and background jobs (non-interactive)
Automation must never hang on a prompt. Two ambient switches make every command non-interactive:
Combine with
--no-prompt to fail fast rather than fall back to a browser sign-in when
no key is cached:
See also
- CLI reference — every command, grouped.
- Errors —
denied_missing_permissionand other failure shapes. - REST API — passing the key as
X-API-Keyover HTTP.