DebugBundle
CLI

Token Management

Create, list, and revoke project and member tokens with the DebugBundle CLI.

The CLI provides commands for managing both project tokens (SDK ingestion) and member tokens (CLI/API/MCP authentication).

Token Types

Token TypePrefixPurposeScope
Project tokendbundle_proj_...SDK event ingestionWrite-only to ingestion API
Member tokendbundle_member_...CLI, API, MCP operationsRead/manage all project resources

Token plaintext is shown only once at creation. Copy it immediately — it cannot be retrieved later. Tokens are stored as SHA-256 hashes at rest.

Project Tokens

Project tokens authenticate SDK event ingestion. Each project can have multiple active tokens.

List Project Tokens

debugbundle token project list proj_01HXYZ...

Output:

{
  "tokens": [
    {
      "token_id": "tok_01HABC...",
      "label": "production-sdk",
      "revoked_at": null
    },
    {
      "token_id": "tok_01HDEF...",
      "label": "staging-sdk",
      "revoked_at": "2026-03-20T10:00:00Z"
    }
  ]
}
FlagTypeDefaultDescription
--limitnumber50Maximum number of tokens to return.
--auth-filestring~/.debugbundle/auth.jsonPath to auth state file.
--jsonbooleanfalseOutput as JSON.

Create Project Token

debugbundle token project create proj_01HXYZ... --label "production-sdk"

Output:

{
  "token": {
    "token_id": "tok_01HGHI...",
    "label": "production-sdk",
    "plaintext": "dbundle_proj_live_a1b2c3d4e5f6...",
    "revoked_at": null
  }
}

Copy the plaintext value — this is the only time it will be shown.

FlagTypeDefaultDescription
--labelstringRequired. Human-readable label for the token.
--auth-filestring~/.debugbundle/auth.jsonPath to auth state file.
--jsonbooleanfalseOutput as JSON.

Revoke Project Token

debugbundle token project revoke proj_01HXYZ... tok_01HGHI...

Output:

{
  "token": {
    "token_id": "tok_01HGHI...",
    "label": "production-sdk",
    "revoked_at": "2026-03-24T10:30:00Z"
  }
}

Revoked tokens are immediately rejected by the ingestion API. SDKs using revoked tokens will fail silently (per SDK safety guarantees).

FlagTypeDefaultDescription
--auth-filestring~/.debugbundle/auth.jsonPath to auth state file.
--jsonbooleanfalseOutput as JSON.

Member Tokens

Member tokens authenticate CLI, API, and MCP operations. They are tied to your user account.

List Member Tokens

debugbundle token member list

Output:

{
  "tokens": [
    {
      "token_id": "tok_01HJKL...",
      "label": "laptop-cli",
      "revoked_at": null
    }
  ]
}
FlagTypeDefaultDescription
--limitnumber50Maximum number of tokens to return.
--auth-filestring~/.debugbundle/auth.jsonPath to auth state file.
--jsonbooleanfalseOutput as JSON.

Create Member Token

debugbundle token member create --label "ci-pipeline"

Output:

{
  "token": {
    "token_id": "tok_01HMNO...",
    "label": "ci-pipeline",
    "plaintext": "dbundle_member_a1b2c3d4e5f6...",
    "revoked_at": null
  }
}

Use member tokens for CI/CD pipelines, automated scripts, and MCP server authentication.

FlagTypeDefaultDescription
--labelstringRequired. Human-readable label for the token.
--auth-filestring~/.debugbundle/auth.jsonPath to auth state file.
--jsonbooleanfalseOutput as JSON.

Revoke Member Token

debugbundle token member revoke tok_01HMNO...

Output:

{
  "token": {
    "token_id": "tok_01HMNO...",
    "label": "ci-pipeline",
    "revoked_at": "2026-03-24T10:30:00Z"
  }
}

Revoked member tokens are immediately rejected by the API.

FlagTypeDefaultDescription
--auth-filestring~/.debugbundle/auth.jsonPath to auth state file.
--jsonbooleanfalseOutput as JSON.

Token Security

  • Hashed at rest — All tokens are stored as SHA-256 hashes in the database. The plaintext is never persisted.
  • Plaintext once — Token plaintext is returned only at creation. If lost, revoke and create a new token.
  • Scope separation — Project tokens can only write events. Member tokens can only manage resources. Never conflate.
  • Revocation — Revoked tokens are rejected immediately. No grace period.

Common Patterns

Rotate a Project Token

# Create a new token
debugbundle token project create proj_01HXYZ... --label "production-sdk-v2"
# → Copy the new plaintext token

# Update your application's DEBUGBUNDLE_PROJECT_TOKEN environment variable

# Revoke the old token after deployment
debugbundle token project revoke proj_01HXYZ... tok_OLD...

Create a CI/CD Token

# Create a member token for your CI pipeline
debugbundle token member create --label "github-actions"
# → Copy the plaintext token to your CI secrets

Next Steps

Log Ingestion

Ingest log files and watch live logs with debugbundle ingest and debugbundle watch.

Webhook Management

Create, test, and manage webhooks with the DebugBundle CLI.

On this page

Token TypesProject TokensList Project TokensCreate Project TokenRevoke Project TokenMember TokensList Member TokensCreate Member TokenRevoke Member TokenToken SecurityCommon PatternsRotate a Project TokenCreate a CI/CD TokenNext Steps