hoziron auth
Authentication and API key management.
Synopsis
hoziron auth <subcommand> [options]
Subcommands
| Subcommand | Description |
|---|---|
hash-password | Generate Argon2id hash for dashboard auth |
create-key | Create a new API key |
list-keys | List all active API keys |
revoke-key <id> | Revoke an API key |
rotate-key <id> | Rotate a key (revoke + recreate) |
whoami | Show current caller identity |
hoziron auth hash-password
Generate an Argon2id password hash for dashboard authentication.
$ hoziron auth hash-password
? Enter password: ********
? Confirm password: ********
Hash: $argon2id$v=19$m=65536,t=3,p=4$...
Add this to your config.toml:
[auth]
dashboard_password_hash = "$argon2id$v=19$m=65536,t=3,p=4$..."
hoziron auth create-key
Create a new API key for programmatic access.
hoziron auth create-key --role <role> --name <name> [--expires-in <duration>] [--json]
Flags
| Flag | Description |
|---|---|
--role <role> | Key role (admin, operator, developer, viewer, service) |
--name <name> | Human-readable name |
--expires-in <duration> | Expiration (e.g., "90d", "24h", "365d"). Omit for no expiration |
--json | JSON output |
Roles
| Role | Access Level |
|---|---|
admin | Full access — all operations including key management |
operator | Manage agents, competencies, workflows; no key/auth management |
developer | Send messages, view status; no lifecycle management |
viewer | Read-only access to status, health, metrics |
service | Machine-to-machine — scoped to specific operations |
Examples
# Create an operator key for CI
$ hoziron auth create-key --role operator --name "ci-deploy-bot" --expires-in 90d
✓ API key created
Key ID: key-a1b2c3d4
Name: ci-deploy-bot
Role: operator
Expires: 2026-09-02
API Key: hzn_sk_a1b2c3d4e5f6...
⚠ Save this key now — it won't be shown again.
# Create a viewer key for monitoring
$ hoziron auth create-key --role viewer --name "grafana-scraper"
✓ API key created (no expiration)
Key ID: key-e5f6a7b8
API Key: hzn_sk_e5f6a7b8c9d0...
# Create a service key
$ hoziron auth create-key --role service --name "claims-webhook-handler" --expires-in 365d
✓ API key created
hoziron auth list-keys
$ hoziron auth list-keys
ID NAME ROLE EXPIRES CREATED
key-a1b2c3d4 ci-deploy-bot operator 2026-09-02 2026-06-04
key-e5f6a7b8 grafana-scraper viewer never 2026-06-04
key-f6a7b8c9 claims-webhook service 2027-06-04 2026-06-04
$ hoziron auth list-keys --json
[
{
"id": "key-a1b2c3d4",
"name": "ci-deploy-bot",
"role": "operator",
"expires_at": "2026-09-02T00:00:00Z",
"created_at": "2026-06-04T10:00:00Z"
}
]
hoziron auth revoke-key
Immediately invalidate an API key.
$ hoziron auth revoke-key key-a1b2c3d4
✓ Key 'ci-deploy-bot' (key-a1b2c3d4) revoked
# Revoked keys are removed from list
$ hoziron auth list-keys
ID NAME ROLE EXPIRES CREATED
key-e5f6a7b8 grafana-scraper viewer never 2026-06-04
hoziron auth rotate-key
Revoke the old key and create a new one with the same name and role.
$ hoziron auth rotate-key key-e5f6a7b8
✓ Key rotated
Old key revoked: key-e5f6a7b8
New key created: key-c9d0e1f2
API Key: hzn_sk_c9d0e1f2a3b4...
⚠ Update all systems using the old key.
hoziron auth whoami
Show the current caller's identity and role.
$ hoziron auth whoami
Identity: ci-deploy-bot
Role: operator
Key ID: key-a1b2c3d4
Expires: 2026-09-02
$ hoziron auth whoami --json
{
"name": "ci-deploy-bot",
"role": "operator",
"key_id": "key-a1b2c3d4",
"expires_at": "2026-09-02T00:00:00Z"
}
Using API Keys
With the CLI (remote contexts)
# Store key in environment
export HOZIRON_STAGING_KEY="hzn_sk_a1b2c3d4..."
# Add context with key
hoziron context add staging --url https://hoziron.staging.internal --auth local --api-key-env HOZIRON_STAGING_KEY
With curl (API access)
curl -H "Authorization: Bearer hzn_sk_a1b2c3d4..." \
https://hoziron.staging.internal/agents
See Also
- context.md — Multi-instance access with keys
- security.md — Audit trail and security status
- ../enterprise-deployment.md — Security hardening