CLI

API Keys

API keys authenticate non-interactive callers — CI pipelines, scripts, automated agents — without going through the browser OAuth flow. They inherit the permissions of the user who created them.

For interactive use, prefer islo login (see Authentication). API keys are for when you can’t open a browser.

Quick Reference

CommandPurpose
islo api-key create <name>Create a key (copied to clipboard by default)
islo api-key listList all your keys
islo api-key deactivate <id>Disable a key without deleting it
islo api-key activate <id>Re-enable a deactivated key
islo api-key delete <id>Permanently remove a key

Alias: islo key works as a shortcut for islo api-key.

All subcommands accept --output json for structured output.

Creating Keys

$islo api-key create <name> [options]
OptionDescription
--expires <days>Expire the key after this many days. Omit for no expiration.
--output-file <path>Write the key to a file instead of the clipboard.
--showPrint the key to the terminal. Visible in shell history — use only when clipboard and file writes aren’t options.

By default, the secret is copied to your clipboard and never appears on screen. The key value is only shown once at creation; store it before closing the terminal.

Examples:

$# Default: copy to clipboard
$islo api-key create my-ci-key
$
$# Set an expiration
$islo api-key create release-bot --expires 90
$
$# Write the key to a file (e.g., for sealing into a secret manager)
$islo api-key create deploy-key --output-file /tmp/islo.key
$
$# Show in terminal (only when the other options are unavailable)
$islo api-key create my-key --show

Listing Keys

$islo api-key list

Prints a table with each key’s id, name, status (active/inactive), expiration, and creation time. The secret value is not retrievable after creation — list only shows metadata.

$islo api-key list --output json

Deactivating and Activating

Deactivating disables a key without losing its identity — useful when you suspect a leak and want to break the key immediately but keep its audit trail.

$islo api-key deactivate <key-id>
$islo api-key activate <key-id>

Deactivated keys reject every request until reactivated.

Deleting

$islo api-key delete <key-id>          # Confirmation prompt
$islo api-key delete <key-id> --force  # No prompt

Deletion is permanent — there is no undo. If you only want to suspend a key, use deactivate instead.

Using a Key

Set the ISLO_API_KEY environment variable. The CLI picks it up automatically and skips the OAuth flow.

$export ISLO_API_KEY=islo_key_…
$islo ls

Or pass it inline for one command:

$ISLO_API_KEY=islo_key_… islo use ci-sandbox -- ./run-tests.sh

CI/CD example

1# GitHub Actions
2jobs:
3  test:
4    runs-on: ubuntu-latest
5    steps:
6      - uses: actions/checkout@v4
7      - name: Install Islo
8        run: curl -fsSL https://islo.dev/install.sh | bash
9      - name: Run tests in sandbox
10        env:
11          ISLO_API_KEY: ${{ secrets.ISLO_API_KEY }}
12        run: |
13          islo use ci-${{ github.run_id }} -- npm test
14          islo rm ci-${{ github.run_id }} -f

Notes

  • The key is shown exactly once. There is no command that re-prints an existing key’s value.
  • Keys inherit the creator’s permissions. Use separate keys per workload so you can deactivate one without breaking others.
  • Rotate keys on a schedule by creating a new key, updating your secret store, then deleting the old one.