Key Types
| Prefix | Scope | Allowed operations |
|---|---|---|
ck_live_ | read_write | All operations: plan, apply, create, update, delete |
ck_ro_ | read_only | Read-only: list, get, effective policy, plan (dry-run) |
Creating a Key
- Go to Settings → API Keys in the Charley dashboard.
- Click New API Key.
- Give it a name (e.g.
"ci-github-actions") and chooseread_writeorread_only. - Optionally set an expiration date.
- Copy the key immediately — it is shown only once.
Using a Key
Environment variable (recommended)
CLI flag
dotenv file
Create a.env file in your working directory:
.env by default. Use --env-file to point at a different file:
Python SDK
Storing Keys in CI
GitHub Actions:Key Rotation
- Create a new key in the dashboard.
- Update your secret store (GitHub Actions secret, AWS Secrets Manager, etc.).
- Verify the new key:
agent-charley-cli --verbose plan --file policies/ - Delete the old key in the dashboard.
Expiration
Keys can expire after 30, 90, 180, or 365 days, or never. The dashboard shows a warning banner 14 days before a key expires. Expired keys return401 Unauthorized.
Security Notes
- The raw key is shown once at creation and never stored by Charley.
- Only a SHA-256 hash is stored server-side.
- Dashboard shows only the first 12 characters (prefix) for identification.
- Revoked or deleted keys return
401immediately.
Error Responses
| Status | Meaning |
|---|---|
401 | Key is missing, invalid, expired, or revoked |
403 | Read-only key attempted a write operation |