Skip to main content
agno tokens create ci-runner
agno tokens list
agno tokens revoke ci-runner
agno tokens manages service accounts on a running AgentOS: long-lived tokens for CI jobs, scripts, and other non-human callers. On an AgentOS with authorization enabled, the commands need an admin credential from AGNO_ADMIN_TOKEN or OS_SECURITY_KEY (or an interactive prompt).

Create

agno tokens create ci-runner --scopes agents:run --scopes sessions:read --expires 30
This is the only time you’ll see the plaintext token, so save it somewhere safe. There’s no way to get it back later.
FlagDefaultDescription
--scopes, -sagents:run, teams:run, workflows:run, sessions:read, config:readScope to grant (repeatable)
--expires90dDays until expiry (90d, 30) or never
--privilegedoffRequired to grant write, delete, admin, or service_accounts scopes
--urlautodiscoverAgentOS base URL
--allow-httpoffPermit credentials over plaintext HTTP to a non-loopback host
--yes, -yoffTrust a remote AGENTOS_URL from a .env file without prompting
--jsonoffEmit a single JSON document, including the token
Names are lowercase slugs: letters, digits, -, and _, starting with a letter or digit. If the name already exists, the command fails; revoke the old account first or pick a different name.

List

agno tokens list
The output shows each account’s name, token prefix, scopes, expiry, last use, and status. Full tokens are never stored or displayed.

Revoke

agno tokens revoke ci-runner --yes
Revocation is irreversible and takes effect on the account’s next request. Interactive runs confirm first; --yes, --json, and non-TTY runs proceed without prompting.
A client with a live connection keeps using its revoked token until it reconnects, so restart any long-running clients after you revoke.

Developer Resources