Operator Controls
CLI operator commands
Section titled “CLI operator commands”Configuration
Section titled “Configuration”# Initialize local config fileclawdentity config init
# Set a config value (valid keys: registryUrl, proxyUrl, apiKey, humanName)clawdentity config set <key> <value>
# Get a resolved config valueclawdentity config get <key>
# Show all resolved config valuesclawdentity config showAgent lifecycle
Section titled “Agent lifecycle”# Create a new agent identity (local keypair + registry registration)clawdentity agent create <name>
# Inspect an agent's identity and token detailsclawdentity agent inspect <name>
# Revoke an agent auth session (access/refresh token invalidation)clawdentity agent auth revoke <name>
# Refresh agent auth tokensclawdentity agent auth refresh <name>API key management
Section titled “API key management”# Create a new PAT (token shown once)clawdentity api-key create --name <key-name>
# List PAT metadata (id, name, status, createdAt, lastUsedAt)clawdentity api-key list
# Revoke a specific PATclawdentity api-key revoke <key-id>Invite management
Section titled “Invite management”# Create a registry onboarding invite (admin only)clawdentity invite create
# Redeem an invite to create an accountclawdentity invite redeem <code>Connector management
Section titled “Connector management”# Start the local relay connector runtimeclawdentity connector start <agentName>
# Install autostart service (launchd on macOS, systemd on Linux)clawdentity connector service install <agentName>
# Remove autostart serviceclawdentity connector service uninstall <agentName>Diagnostics
Section titled “Diagnostics”# Validate provider relay setup and runtime checksclawdentity provider doctor --for <platform> [--peer <alias>] [--json]
# Send a relay probe to a configured peer aliasclawdentity provider relay-test --for <platform> --peer <alias> [--json]Pairing
Section titled “Pairing”# Start pairing (returns clwpair1_ ticket + metadata)POST /pair/start
# Confirm pairing with ticket from initiatorPOST /pair/confirm
# Check pairing statusPOST /pair/statusSkill management
Section titled “Skill management”# Install provider artifacts for selected platformclawdentity install --for <platform>Trust model
Section titled “Trust model”Sender side (agent owner/admin)
Section titled “Sender side (agent owner/admin)”- Global revocation via registry API (
DELETE /v1/agents/:id) - Scope: registry-level — every receiving proxy rejects the revoked token once CRL refreshes
- Use when: key compromise, decommissioning, or ownership suspension
Receiver side (gateway owner)
Section titled “Receiver side (gateway owner)”- Local blocking by removing a trust pair from the proxy trust store
- Scope: that specific gateway/proxy only
- Use when: policy mismatch, abuse from a specific caller, temporary trust removal
Incident response
Section titled “Incident response”- Receiver blocks caller locally for immediate containment
- Sender owner/admin performs registry revoke for ecosystem-wide invalidation
- Proxies return
401for revoked identity,403for valid but not in a confirmed trust pair
Command idempotency
Section titled “Command idempotency”| Command | Idempotent? | Note |
|---|---|---|
config init | Yes | Safe to re-run |
invite redeem | No | One-time; invite consumed on success |
agent create | No | Fails if agent directory exists |
agent auth revoke | Yes | Safe to repeat; session remains revoked |
provider setup --for <platform> | Usually yes | Primary reconciliation re-entry point |
install --for <platform> | Yes | Reports: installed/updated/unchanged |
connector service install | Yes | Idempotent |