Authentication - Almanac

Almanac accounts cover identity, organizations, memberships, roles, permissions, sessions, and programmatic credentials.

CLI and local MCP

almanac login
almanac use reverie/legal

The CLI stores local auth state after login. The MCP server reads that same state and calls the SDK over /v1.

API and SDK

Pass a bearer token to /v1 requests:

curl https://almanac-backend-83vc.onrender.com/v1/me \
  -H "Authorization: Bearer $ALMANAC_TOKEN"

The backend verifies the token and checks organization access. Almanac does not expose a second user, membership, or API-key system.

Programmatic keys

Organization API keys are the programmatic credential model.

almanac api-keys create "Local agent"
almanac api-keys create "Writer" --write
almanac api-keys delete ak_123

almanac api-keys create returns the full key value once. Save it in your secret manager and pass it as the bearer token for SDK, MCP, or direct /v1 requests. Almanac does not show the full secret again after creation. The default key is read-only for wiki search and page/source reads. --write grants wiki creation, source upload, and garden job permissions.

​CLI and local MCP

​API and SDK

​Programmatic keys

CLI and local MCP

API and SDK

Programmatic keys