Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.cyberun.cloud/llms.txt

Use this file to discover all available pages before exploring further.

Cyberun issues three kinds of credential. Each has a different prefix, a different intended use, and a different scope. They all live in the Access page in Cloud (sidebar → Access).
KindPrefixWho can createScopePurpose
Integrationsk-Any team memberTeam-wideScripts, CI, MCP clients, partner integrations.
Agentak-Any team memberTeam-wideThe agent installer and the long-lived agent process.
Devicedk-Cyberun CLI sign-inUser-bound, team-scopedDevices paired via the Cyberun CLI (and third-party tools).
The full secret is shown once, at creation. Cloud only stores the prefix and a hash afterwards. Lose the secret and you have to revoke and re-create the credential.

Integration credentials (sk-)

The general-purpose API key. Use these for:
  • Custom scripts hitting the Runtime API (/r/...).
  • CI pipelines that submit tasks.
  • MCP clients (Claude Code, Cursor) connecting to the platform’s Web MCP endpoint at /api/v1/mcp.
  • Partner integrations that need read or write access to team resources.
The team is the access boundary — an integration key reads and writes only the team it was created under. Send the key in the Authorization header: 
Authorization: Bearer sk-...

Agent credentials (ak-)

Used by the agent installer to register a GPU machine with the team, and by the long-lived agent process to maintain its WebSocket connection to the gateway. The walkthrough is on Connect an agent. Signing in with the Cyberun CLI also creates one of these automatically: a companion agent linked to the new device credential, so the device can run workflows without a separate key. It is tied to the device — revoking the device credential revokes the companion agent with it. See Cyberun CLI. These keys are limited to the agent runtime protocol. They cannot read team dashboards, manage workflows, or submit tasks on a member’s behalf. Stolen ak- keys can only enrol a fake agent — which still should not happen, so revoke promptly if leaked.

Device credentials (dk-)

Issued through device pairing. When you sign in with the Cyberun CLI, it prints a pairing code and opens your browser; confirming it on the Cloud side issues a dk- credential bound to your user identity inside the active team, plus a companion agent credential so the device can run workflows. Each member sees their own device credentials in Access → Device and can revoke any of them — useful for revoking a stolen laptop. Revoking a device credential also revokes its companion agent, so one action fully disconnects the device. Team admins can also revoke other members’ devices.

Best practices

  • One credential per integration. Don’t share a key between three CI pipelines. Revoking one shouldn’t take down the others.
  • Name credentials descriptively. ci-prod-image-build, claude-code-personal, not key1, test.
  • Revoke promptly on departure. When someone leaves the team, revoke their integration credentials before removing their membership. The membership removal does not revoke keys they issued.
  • Don’t paste keys into shared notes. If you must share, use a vault. The dashboard shows the full key only at creation — treat that as the only chance.
  • Rotate periodically. Long-lived keys accumulate exposure risk. Issue a new key, switch the integration over, revoke the old one.

Expiration

Each credential can carry an expiry of 1–365 days at creation, or never. Expired credentials behave the same as revoked — the next request returns 401.