Kizaki
ReferenceCLI

Auth And Access

Log in, manage team or CI access, issue application API keys, and work with async operational tooling.

This page covers who can access Kizaki itself, who can access your app over HTTP, and how you inspect async operations.

App-user authentication is not configured with CLI commands. It is declared in Inspire via auth {} and exposed through the platform's auth API.

Common Commands

kizaki login

kizaki keys create --name "CI pipeline"
kizaki keys list

kizaki api-keys create --scope read --name "Mobile app"
kizaki api-keys list
kizaki api-keys rotate <id> --grace-period 24h

kizaki effects status

Credential Types

These commands look similar but manage different systems.

CommandPurpose
auth {} in InspireApp-user sign-in, sessions, linking, password policy
kizaki loginAuthenticate you to the Kizaki platform
kizaki keysPlatform or CI credentials
kizaki api-keysApp-level tokens for declared HTTP routes
kizaki effectsInspect async background delivery state

If a credential calls your app's own routes, it belongs under api-keys, not keys.

App User Auth

App-user authentication starts in the schema:

auth {
  providers: [email, google],
  sessionDuration: 30d,

  password {
    minLength: 12,
    blockCommon: true,
    breachCheck: true,
  }

  principal {
    displayName: string @from(Profile.displayName),
  }
}

That config is compiled into the app artifact. The auth service exposes the endpoints; the auth backend enforces the flows.

Summary:

  • auth {} — app-user authentication
  • routes(..., auth: session) — user-protected routes
  • apiKeys {} + kizaki api-keys — machine-to-machine route access
  • kizaki login — access to the Kizaki platform itself

Platform Keys

Use kizaki keys for CI and deployment automation.

kizaki keys create --name "CI pipeline"
kizaki keys list
kizaki keys revoke <id>

Platform keys grant access to platform operations. They do not authenticate calls to your application's routes.

App API Keys

Use kizaki api-keys when you have declared apiKeys scopes in Inspire and need a token for a route consumer.

kizaki api-keys create --scope read --name "Warehouse sync"
kizaki api-keys create --scope writer --name "CRM importer" --expires 90d
kizaki api-keys list
kizaki api-keys list --scope read
kizaki api-keys revoke <id>
kizaki api-keys rotate <id> --grace-period 24h

Workflow:

  1. Declare scopes in apiKeys { ... }
  2. Attach scopes to routes with auth: apiKey(scope)
  3. Mint or rotate tokens with kizaki api-keys

Effects

kizaki effects inspects background delivery state for routes, webhooks, or server workflows that enqueue async work.

kizaki effects status

Best Practices

  • Keep platform credentials and app API credentials separate
  • Issue API keys only for declared route scopes
  • Rotate machine credentials instead of reusing one long-lived token
  • Use effects tooling when debugging async follow-up behavior

Related docs:

Deploy And Operations

Deploy your application and manage environments, secrets, logs, and platform access.

How Kizaki Works

Kizaki turns one schema into a full application workflow: database shape, runtime rules, generated client surfaces, and deployment artifacts.

Elsewhere

FeedbackStudio

On this page

Common CommandsCredential TypesApp User AuthPlatform KeysApp API KeysEffectsBest Practices