Skip to main content
Hand-maintained reference. For the authoritative flags on your installed version, run the command with --help.
# Rotate the active key against a service (§8.1 pre-claim).
# The previous key is archived as a .bak; once the service confirms the
# new key, shred that backup with `afauth keys forget-backup`.
afauth keys rotate --service https://api.example.com

# Export the active key. It is NOT printed to the terminal by default —
# that would leak the raw seed into scrollback, tmux, and CI logs.
afauth keys export --out backup.json          # write a 0600 file
afauth keys export --stdout | gpg -e > key.gpg # or pipe the raw seed to an encryptor

# List archived key backups (each holds a complete private key)
afauth keys backups

# Shred backups: overwrite the bytes, then unlink (best-effort on SSD/CoW)
afauth keys forget-backup ~/.afauth/key.json.1700000000.bak
afauth keys forget-backup --all                # every backup of the active key

# Install a key file as the active key (--force to overwrite an existing key)
afauth keys import backup.json
afauth keys import backup.json --force