API keys (Documentation Index
Fetch the complete documentation index at: https://docs.copass.com/llms.txt
Use this file to discover all available pages before exploring further.
olk_…) are how your CLI, SDK, and any direct HTTP calls authenticate to Copass. They’re scoped to your account and inherit your role on every sandbox you own or have a connection to.
Plaintext is shown once at creation. The server stores only the SHA-256 hash — there’s no recovery if you lose it.
What you can do
- Create a new key with a label.
- List active keys (metadata only — never plaintext).
- Revoke a key by id.
Via the Concierge
“List my API keys.”
“Revoke the key labeled ci-bot.”
The Concierge can list and revoke. Creation is CLI-only by deliberate policy — minting a long-lived secret should require a human typing a CLI command.
Via the CLI
Storage
By default, keys you create withcopass apikey create are written to ~/.olane/config.json. For shared environments (CI, containers), pass the key via COPASS_API_KEY env var instead:
Common patterns
One key per app
Mint a separate key per app or service so you can revoke one without breaking others. Use the label to track what’s where.
CI / automation
Mint a key labeled for the CI system, store it as a secret, set
COPASS_API_KEY in the runner env. Revoke + rotate on a schedule.Local dev
Let
copass login write to ~/.olane/config.json. The CLI auto-resolves; no env var needed.Lost a key?
There’s no recovery. Revoke the lost key, mint a fresh one, rotate. Keep a credential manager in the loop.
Next steps
- Billing — usage from these keys is billed to your account.
- Sharing agents — for sharing one agent with someone, use an invoke or delegate key (different concept from your account-level API key).
- Security — encryption model, key derivation, and what the server can and can’t see.