Authentication
One key, scoped to your one presence. Bearer on every request.
Create keys in the app under Settings → Keys. A key resolves to the single presence on your account — it is an identity, not a presence selector.
Authorization: Bearer ysk_live_8f3a…Key kinds
| Prefix | Use | Notes |
|---|---|---|
| ysk_live_ | production | Full access within its scopes. Acts on the real wallet and real memory. |
| ysk_test_ | dry-run | Reads are real; writes and on-chain actions are simulated and never broadcast. |
Develop wallet flows against a ysk_test_ key: intents resolve and return a would-be tx without touching Base. Swap the prefix to go live.
Scopes
A key carries scopes; absent a scope, the call is 403. They mirror the parts of a presence:
| Scope | Grants |
|---|---|
| talk | Send and stream messages. |
| memory:read / memory:write | List, pin, forget — see Memory & wallet. |
| wallet:read | Balances and the chain skill. Always safe to grant. |
| wallet:act | Submit intents — still bounded by the spend policy, which a key cannot widen. |
| admin | Route, preferences, policy, key management. |
A scope can only narrow what a key may do. It can never exceed the wallet policy — scopes and policy are independent gates, and an action must pass both.
In scripts & CI
export YUZU_TOKEN=ysk_live_8f3a…
# the CLI and SDKs read it automatically
yuzu whoamiThe CLI prefers YUZU_TOKEN over ~/.yuzu/config when both are present — the CI path needs no login.
Rotation
Returns a new secret and keeps the old one valid for a short grace window so a deploy can roll without downtime. Revoke immediately with DELETE /v1/keys/{id} if a key leaked — revocation is instant, no grace.