Pick an install path
- uv (recommended)
- pip
- uvx (one-off, no install)
- From source
Every command in the docs is written as
authsome <subcommand> and assumes you ran uv tool install authsome (or pip install authsome). If you skipped install and prefer one-off runs, prefix every command with uvx authsome@latest instead of authsome.Verify the install
whoami prints the home directory, registered identity handle, DID, and both the configured encryption mode and effective master-key source. doctor walks the home directory, verifies encryption is available, and parses every bundled provider definition. A healthy install reports OK for each check and exits with code 0.
If doctor reports failures, see Diagnose with doctor.
First-run initialization
Onauthsome onboard, authsome initializes its home directory at ~/.authsome/, creates a generated identity handle and Ed25519 DID, registers that identity with the daemon, completes claim, and imports API keys from .env files and the process environment:
onboard, authsome resolves the master key source in this order:
AUTHSOME_MASTER_KEYfrom the environment, when set. The value must be a base64-encoded 32-byte key.- An existing OS keyring entry.
- An existing
~/.authsome/server/master.key. - A newly created OS keyring entry, when the keyring is available.
- A newly created local
~/.authsome/server/master.keyas the final fallback.
AUTHSOME_HOME for ephemeral or per-project setups:
--base-url once; authsome saves it in client config for later commands:
Choose the encryption backend
By default, authsome usesencryption.mode = "auto" and applies the precedence above. To pin the daemon to the local file or OS keychain instead, edit the Authsome config:
authsome doctor to confirm the backend is reachable. The trade-offs are covered in Encryption at rest.
Upgrading from releases before 0.4 (the old profile model) requires a fresh authsome onboard and re-login. Credentials under profile:* keys are not migrated automatically. See Changelog.
Optional: trust the proxy CA
authsome run injects auth headers through a local mitmproxy. HTTPS interception requires the mitmproxy CA to be trusted on the machine. You can defer this until you actually use run. When you’re ready, the per-OS install steps are in Proxy networking.
Uninstall
Remove the package:keyring encryption mode, also delete the authsome entry from your OS keychain.
To revoke remote sessions for any provider before uninstalling, run authsome provider revoke <provider> for each one first.
Next steps
Quickstart
Log in to GitHub and OpenAI, then run an agent in under five minutes.
CLI reference
Every command, every flag, every exit code.