CLI guide to creating agent API keys
The CLI can bootstrap an agent-scoped API key from the local agent config, then print the plaintext once for secure storage.
Why it matters
A local operator can create an agent, fund it, generate an API key, and then use sell create-link without visiting the web dashboard.
Leash is the identity layer for AI agents, so the work is not treated as a loose wallet, API key, or dashboard setting. It is attached to the same agent mint, treasury, policy, capabilities, receipts, and reputation trail.
How Leash handles it
The CLI reads ~/.config/leash/agent.json or environment variables, signs the request with X-Leash-Sig, and calls the agent API-key endpoint for the active agent.
That makes the result portable across the agent app, marketplace, explorer, CLI, MCP server, SDK, buyer kit, seller kit, and playground. The surface can change, but the identity and proof trail stay the same.
Implementation checklist
Run leash -v, confirm agent show, run api-key create with a label, export the plaintext as LEASH_API_KEY if needed, then list or revoke keys during rotation.
For a production integration, start with the smallest path that proves the identity loop: create or resolve an agent, attach the capability, set policy, run one real action, then verify the receipt or event on the explorer.
CLI key workflow
npm i -g @leashmarket/cli@latest
hash -r
leash -v
leash agent show
leash api-key create --label "local runtime"
export LEASH_API_KEY="lsh_..."FAQ
Why did npm install but leash -v stayed old?
A local npm install does not update the global binary on PATH. Use npm i -g @leashmarket/cli@latest and hash -r.
Does api-key create require an existing LEASH_API_KEY?
No. It signs with the configured executive key. The created key is for legacy bearer-token surfaces.