credentials
Manage API credentials
credentials
Manage API credentials for Arctic agents.
Aliases: credential
Synopsis
arctic credentials <subcommand> [flags]Subcommands
| Subcommand | Description |
|---|---|
| list | List all credentials |
| create | Create new credentials |
| revoke | Revoke credentials |
| rotate | Rotate cluster credential |
list
List all credentials for the current license.
Usage
arctic credentials listRequired Scope
urn:tillered:arctic:credentials.read
Example
arctic credentials listOutput
Client ID: cli_01KBYMHMRKGBAWSXB58ENRAR24
Scopes: urn:tillered:arctic:admin
License ID: lic_01KB45EYP1VJ1RZEGJDPKJQ9V4
Created At: 2025-12-08T20:26:39+11:00
Last Used At: 2025-12-09T04:44:01Zcreate
Create new API credentials.
Usage
arctic credentials create [scopes...]Arguments
| Argument | Description |
|---|---|
scopes | Optional space-separated scopes. Empty = admin access. |
Required Scope
urn:tillered:arctic:credentials.write
Examples
# Full admin access
arctic credentials create
# Read-only access
arctic credentials create \
urn:tillered:arctic:peers.read \
urn:tillered:arctic:services.read
# Service management only
arctic credentials create \
urn:tillered:arctic:services.read \
urn:tillered:arctic:services.writeOutput
Credentials created
Client ID: cl_01HXYZ...
Client Secret: sec_abc123...
Scopes: urn:tillered:arctic:peers.read
Created: 2024-01-15 10:30:00 UTC
WARNING: The client secret is only shown once. Store it securely.Available Scopes
| Scope | Description |
|---|---|
urn:tillered:arctic:admin | Full administrative access |
urn:tillered:arctic:peers.read | Read peer information |
urn:tillered:arctic:peers.write | Create, update, delete peers |
urn:tillered:arctic:services.read | Read services and routes |
urn:tillered:arctic:services.write | Create, update, delete services |
urn:tillered:arctic:credentials.read | List credentials |
urn:tillered:arctic:credentials.write | Create and revoke credentials |
revoke
Revoke (delete) credentials.
Usage
arctic credentials revoke <client-id>Arguments
| Argument | Description |
|---|---|
client-id | Client ID to revoke |
Required Scope
urn:tillered:arctic:credentials.write
Example
arctic credentials revoke cl_01HXYZ...Errors
| Error | Description |
|---|---|
client-id required | Missing client ID argument |
credential not found | Credential does not exist |
cannot revoke current credential | Would lock out user |
rotate
Rotate the shared cluster credential.
Usage
arctic credentials rotate [--update-config]Flags
| Flag | Description |
|---|---|
--update-config | Update local config with new secret |
Required Scope
urn:tillered:arctic:credentials.write
Example
# Rotate and update local config
arctic credentials rotate --update-config
# Rotate only (manual config update needed)
arctic credentials rotateOutput
Credential rotated
Client ID: cl_01HXYZ...
Client Secret: sec_NEW...
Version: 2
Rotated By: 01HXYZ...
Rotated At: 2024-01-15 10:30:00 UTC
WARNING: The new client secret is only shown once.
Old secret remains valid for 24 hours.Behavior
- Generates new client secret
- Old secret valid for 24-hour grace period
- New secret propagates via gossip to all peers
- If
--update-config, local config is updated
See Also
- Create Credentials - How-to guide
- Rotate Credentials - How-to guide
- API Authentication