Skip to main content
agno tokens manages service accounts on a running AgentOS: long-lived tokens for CI jobs, scripts, and other non-human callers. On an AgentOS with authorization enabled, the commands need an admin credential from AGNO_ADMIN_TOKEN or OS_SECURITY_KEY (or an interactive prompt).

Create

This is the only time you’ll see the plaintext token, so save it somewhere safe. There’s no way to get it back later. Names are lowercase slugs: letters, digits, -, and _, starting with a letter or digit. If the name already exists, the command fails; revoke the old account first or pick a different name.

List

The output shows each account’s name, token prefix, scopes, expiry, last use, and status. Full tokens are never stored or displayed.

Revoke

Revocation is irreversible and takes effect on the account’s next request. Interactive runs confirm first; --yes, --json, and non-TTY runs proceed without prompting.
A client with a live connection keeps using its revoked token until it reconnects, so restart any long-running clients after you revoke.

Developer Resources