Hand-maintained reference. For the authoritative flags on your installed version, run the command with
--help.# Rotate the active key against a service (§8.1 pre-claim).
# The previous key is archived as a .bak; once the service confirms the
# new key, shred that backup with `afauth keys forget-backup`.
afauth keys rotate --service https://api.example.com
# Export the active key. It is NOT printed to the terminal by default —
# that would leak the raw seed into scrollback, tmux, and CI logs.
afauth keys export --out backup.json # write a 0600 file
afauth keys export --stdout | gpg -e > key.gpg # or pipe the raw seed to an encryptor
# List archived key backups (each holds a complete private key)
afauth keys backups
# Shred backups: overwrite the bytes, then unlink (best-effort on SSD/CoW)
afauth keys forget-backup ~/.afauth/key.json.1700000000.bak
afauth keys forget-backup --all # every backup of the active key
# Install a key file as the active key (--force to overwrite an existing key)
afauth keys import backup.json
afauth keys import backup.json --force