# Key management
URL: /docs/authentication/key-management

Issue keys with newt login, and manage them — list, revoke, logout — from the CLI and the console.



`newt login` is the primary way to issue a key. The console is the management surface: it issues keys for contexts where the CLI isn't available, and it's where you list and revoke keys.

## Issue a key with `newt login` [#issue-a-key-with-newt-login]

```bash
newt login
```

The command prints a URL and a pairing code. Open the URL in a browser, confirm the code shown there matches the one in your terminal, and approve. The CLI receives a key and stores it at `~/.nt/credentials`. The SDK and CLI read it from there automatically on subsequent runs.

For scripted or agent contexts, `newt login --print` runs the same pairing flow but prints the key to stdout and persists nothing. Capture the output yourself — into a secret store, an environment variable, or a `.env` file.

```bash
newt login --print
```

## Issue a key in the console [#issue-a-key-in-the-console]

Use the console when the CLI isn't an option — a teammate provisioning a key, a deploy target without `newt` installed, or any environment where the browser pairing flow doesn't fit.

1. Open the [console](https://newtheory-console.vercel.app) and sign in.
2. Open the **Keys** page from the sidebar.
3. Click **Create API key**. The console reveals the key value once, in a dialog.
4. **Copy the value now.** It looks like `nt_<40 hex>`. Save it to your password manager or export it directly into the shell you'll run from.

<Callout type="warning">
  **One-time reveal.** The console only shows the key plaintext at the moment of creation. After you close the dialog you can list the key (prefix only) and revoke it, but you can't see the full value again. If you lose the plaintext, revoke and reissue.
</Callout>

## List your keys [#list-your-keys]

The **Keys** page in the console shows every key issued under your account: name, masked key, creation date, and a status of **In use** or **Never used**. The full key value is never shown — the suffix hint (last 8 chars) is enough to identify which one is which when you cross-reference against the value you saved.

## Revoke a key [#revoke-a-key]

1. On the **Keys** page, find the key you want to revoke.
2. Click **Revoke** on its row.
3. Confirm. The key is removed from the active set.

Revocation propagates to the inference endpoint within seconds; new connections fail with `AuthError`. The key is checked once, at connection handshake — an already-open connection isn't re-checked, so it keeps running on a revoked key until it closes on its own.

## Remove local credentials with `newt logout` [#remove-local-credentials-with-newt-logout]

```bash
newt logout
```

`newt logout` deletes `~/.nt/credentials`. The key itself stays valid — `logout` only removes it from this machine. To make the key stop working, revoke it in the console.

## Practices that pay off [#practices-that-pay-off]

* **One key per project or robot.** When something leaks or a workstation gets re-imaged, you revoke one key, not all of them.
* **Name keys after where they live.** `laptop-mattie`, `demo-rig-1`, `ci-runner`. Future-you grepping a list of prefixes will thank you.
* **Rotate by reissue, not by edit.** Create the new key, swap your environment over, then revoke the old one. There is no "rotate" operation — issuing plus revoking is the rotation.
* **Don't commit keys to source.** Use `NT_API_KEY` from the shell, a `.env` file gitignored at the repo root, or your platform's secret store. The `newt` library reads `NT_API_KEY` first and falls back to `~/.nt/credentials` — the env var wins when both are present, so you don't have to thread plaintext through code.
