Authentication.

You only need a key for cloud features. The GitHub Action and the deterministic local CLI run with no account and no key. An API key authenticates the managed cloud features (dashboard sync, managed AI false-positive filter) when you opt into them.

§ 01 · The GitHub Action needs no key

In CI the Action authenticates to GitHub with the runner-provided GITHUB_TOKEN — you never create or store a CodeTitan key for the Action. It runs on your own runner; your code never leaves CI.

§ 02 · Create an API key

Sign in once, then generate a key from the CLI (or from your dashboard under Settings → API keys):

codetitan login
codetitan keys create --name "my-laptop"

The key is shown once, on creation. It looks like ct_key_…. Copy it then — it is stored hashed and can never be displayed again.

§ 03 · Use a key

Set it as an environment variable, or pass it explicitly with --api-key:

export CODETITAN_API_KEY=ct_key_...
codetitan analyze . --no-ai

# or, per-invocation:
codetitan analyze . --api-key ct_key_...

§ 04 · List and revoke

See your keys (prefix only — the full value is never stored), and revoke by id:

codetitan keys list
codetitan keys revoke <id>

If a key leaks, revoke it and create a new one — there is no downtime.

§ 05 · How keys are stored

• Keys are opaque ct_key_… strings — not JWTs, no readable payload.
• Stored as a bcrypt hash plus a short non-secret prefix for display. The plaintext key exists only at creation time; we cannot recover it.
• All key transmission is over TLS.