> ## Documentation Index
> Fetch the complete documentation index at: https://docs.usealmanac.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> How CLI, SDK, MCP, and API requests authenticate.

Almanac accounts cover identity, organizations, memberships, roles,
permissions, sessions, and programmatic credentials.

## CLI and local MCP

```bash theme={null}
almanac login
almanac use reverie/legal
```

The CLI stores local auth state after login. The MCP server reads that same
state and calls the SDK over `/v1`.

## API and SDK

Pass a bearer token to `/v1` requests:

```bash theme={null}
curl https://almanac-backend-83vc.onrender.com/v1/me \
  -H "Authorization: Bearer $ALMANAC_TOKEN"
```

The backend verifies the token and checks organization access. Almanac does
not expose a second user, membership, or API-key system.

## Programmatic keys

Organization API keys are the programmatic credential model.

```bash theme={null}
almanac api-keys create "Local agent"
almanac api-keys create "Writer" --write
almanac api-keys delete ak_123
```

`almanac api-keys create` returns the full key value once. Save it in your
secret manager and pass it as the bearer token for SDK, MCP, or direct `/v1`
requests.

Almanac does not show the full secret again after creation. The default key is
read-only for wiki search and page/source reads. `--write` grants wiki
creation, source upload, and garden job permissions.