API KEY AUTHENTICATION
API keys authenticate CLI commands and programmatic API requests. There are two types: personal keys and collective tokens.
Key formats
| Type | Prefix | Example |
|---|---|---|
| Personal key | swamp_ |
swamp_a1b2c3d4e5f6... (32 hex) |
| Collective token | swamp_org_ |
swamp_org_a1b2c3d4e5... (32 hex) |
Authentication headers
API requests accept either header:
x-api-key: swamp_a1b2c3...Authorization: Bearer swamp_a1b2c3...The CLI uses the x-api-key header.
Credential storage
The CLI stores credentials in ~/.config/swamp/auth.json (or
$XDG_CONFIG_HOME/swamp/auth.json). File permissions are set to 0o600. Writes
are atomic (temporary file, then rename) to prevent corruption.
The stored structure contains:
| Field | Description |
|---|---|
serverUrl |
Server the key authenticates against |
apiKey |
The raw API key (swamp_ prefix) |
apiKeyId |
Key ID for revocation tracking |
username |
Authenticated username |
collectives |
Cached collective membership slugs |
Credential precedence
SWAMP_API_KEYenvironment variable (highest priority)~/.config/swamp/auth.jsonfile- Default server:
https://swamp-club.com
When SWAMP_API_KEY is set, swamp auth login and swamp auth logout are
disabled.
Environment variables
| Variable | Purpose |
|---|---|
SWAMP_API_KEY |
API key for authentication (overrides auth.json) |
SWAMP_CLUB_URL |
Server URL override |
Scope
Personal keys create a full user session. The authenticated user's identity, roles, and collective memberships are all available. Commands that require a user context (extension push, issue submit) work with personal keys.
Collective tokens create a collective context only. They do not create a
user session. The middleware sets collectiveTokenContext with the collective
ID, slug, and token ID. Actions performed with a collective token are attributed
to the collective, not to any individual user.
Personal keys grant access to all collectives the user belongs to. Collective tokens are scoped to a single collective.
Role requirements
| Operation | Required role |
|---|---|
| Create personal key | Any authenticated user |
| Create collective token | Owner or admin |
| Revoke collective token | Owner or admin |
| Delete collective token | Owner or admin |
Limits
Each collective can have a maximum of 25 API tokens.
Expiration
Collective tokens support an optional expiration date set at creation time. Expiration is enforced at verification — an expired token is rejected even if it is still enabled. Personal keys created by the CLI do not expire.
Key lifecycle
- Created — key is generated, raw value shown once, hash stored
- Enabled — key authenticates requests normally
- Revoked — key is disabled and can no longer authenticate; remains visible in the UI
- Deleted — key is permanently removed
Revoked keys cannot be re-enabled.
Security
Keys are hashed with SHA-256 (base64url encoding) before storage. The raw key is returned only at creation time. The key hash is never exposed in API responses or the web UI.
API endpoints
Personal keys (BetterAuth)
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/auth/api-key/create |
Create a key |
| GET | /api/auth/api-key/list |
List keys |
| POST | /api/auth/api-key/update |
Update a key |
| POST | /api/auth/api-key/delete |
Delete a key |
These endpoints require an active session (cookie or session token).
Collective tokens
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/v1/collectives/{slug}/api-tokens |
List tokens |
| POST | /api/v1/collectives/{slug}/api-tokens |
Create a token |
| PATCH | /api/v1/collectives/{slug}/api-tokens/{tokenId} |
Revoke a token |
| DELETE | /api/v1/collectives/{slug}/api-tokens/{tokenId} |
Delete a token |
These endpoints require an active session with owner or admin role on the collective.
CLI commands that require authentication
| Command | Key type |
|---|---|
swamp auth whoami |
Personal |
swamp extension push |
Personal |
swamp extension yank |
Personal |
swamp extension unyank |
Personal |
swamp issue submit |
Personal |
swamp issue ripple |
Personal |
swamp issue get |
Personal |