https://dashboard.esheria.ai/. The dashboard creates workspace-scoped data
tokens for production services, local development, CLI use, and MCP hosts.
Store tokens in your shell for local testing or in your service secret manager
for production use.
Dashboard-created and OAuth connector tokens are read-only
(regulatory:read). A workspace owner can use a management token to create a
least-privilege operator data token with monitoring:write, graph:write, or
customer:write when an integration must change hosted state.
Existing customers may also receive a workspace token from an Esheria
operator or workspace owner. Dashboard-created data tokens are the recommended
self-serve path for new integrations.
Create A Token In The Dashboard
- Open
https://dashboard.esheria.ai/. - Sign up or sign in.
- Open API Tokens.
- Create a data token with a clear name such as
Production backendorLocal development. - Store the returned token secret immediately. It is shown once and cannot be recovered later.
--scope option. Unknown scopes and
management scopes are rejected for data tokens:
Local Setup
ESHERIA_DEFAULT_PACK_ID is an optional client preference chosen by you; it is
not a server-side jurisdiction default. Pack-specific commands still accept an
explicit pack ID.
For long-running services, store keys in the host secret manager and inject them as environment variables at runtime.
Test A Key
status: ok. An invalid key returns the normal error envelope with unauthorized.
CLI Configuration
The CLI reads the same environment variables.set or missing, never the key value.
Rotation Checklist
- Create a new data token in the dashboard.
- Deploy the new key to services and MCP hosts.
- Run
esheria packs list --format json. - Revoke the old key from API Tokens.
- Remove exposed key material from shell history, logs, and screenshots.