token

1ctl token manages API tokens — the long-lived credentials you use for programmatic access to Satusky. Unlike a browser session, tokens don’t expire unless you explicitly set an expiry or revoke them. They’re the right tool for CI/CD pipelines, deployment scripts, and any automation that needs to talk to the Satusky API.

Alias: 1ctl api-token

Every request the CLI (or your own code) makes to https://api.satusky.com/v1/cli is authenticated by a token in the x-satusky-api-key header. The backend validates it against the api_tokens table on every request — there is no session cache. A disabled or deleted token is rejected immediately.

One important detail: the raw token value is only returned once, at creation time. The backend stores only a hash. If you lose it, you cannot recover it — create a new one and revoke the old one.

Commands

`1ctl token list`

1ctl token list

Lists all API tokens on your account with their name, status, and expiry.

$ 1ctl token list
ID             NAME              STATUS    EXPIRES
tok_abc123     github-actions    active    2026-07-26
tok_def456     local-dev         active    never
tok_ghi789     old-script        disabled  never

`1ctl token create`

1ctl token create --name <name> [--expires <days>]

Creates a new API token. The token value is printed once at creation — copy it immediately. It will not be shown again.

Flags

Flag	Default	Description
`--name <name>`	required	Human-readable label for the token.
`--expires <days>`	never	Number of days until the token auto-expires. Omit for a token that never expires.

# Create a 90-day CI token
1ctl token create --name "github-actions" --expires 90

# Create a permanent token for a long-running service
1ctl token create --name "monitoring-agent"

Example output:

Token created: github-actions
ID:      tok_abc123
Expires: 2026-07-26

Token value (shown once — save it now):
sat_prod_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

After this point the token value is gone from the platform. Store it in your secrets manager before closing this terminal.

`1ctl token get`

1ctl token get <token-id>

Returns metadata for a token: name, status, creation date, expiry, and last-used timestamp. The raw token value is not returned — only the ID and metadata.

1ctl token get tok_abc123

`1ctl token enable`

1ctl token enable <token-id>

Re-enables a previously disabled token. The token resumes accepting requests immediately.

1ctl token enable tok_abc123

`1ctl token disable`

1ctl token disable <token-id>

Disables a token without deleting it. Disabled tokens are rejected by the API (401 Unauthorized) but can be re-enabled later. Use this to suspend access without losing the token metadata.

# Suspend a token while rotating credentials
1ctl token disable tok_abc123

`1ctl token delete`

1ctl token delete <token-id> [-y]

Permanently deletes a token. Any request using this token is rejected immediately. This action cannot be undone.

Flags

Flag	Default	Description
`-y`	false	Skip the confirmation prompt.

# Delete with confirmation prompt
1ctl token delete tok_ghi789

# Delete without confirmation (useful in scripts)
1ctl token delete tok_ghi789 -y

Practical patterns

CI/CD pipelines. Create a dedicated token per pipeline with a 90-day expiry. Store it as a CI secret (SATUSKY_API_KEY). Rotate it by creating a new token, updating the secret, then deleting the old one — with no downtime between steps.

# In GitHub Actions
- name: Deploy
  env:
    SATUSKY_API_KEY: ${{ secrets.SATUSKY_API_KEY }}
  run: 1ctl deploy

Token hygiene. Run 1ctl token list periodically. Disable any token you don’t recognise, investigate, then delete it if it wasn’t yours. Tokens with status disabled can always be cleaned up without operational impact.

Security incident. If a token is compromised, delete it — not just disable it. Then rotate any credentials the compromised token had access to. If you suspect broader access, also run 1ctl user sessions revoke to terminate active browser sessions.