audit gives you a full view of what actions occurred under your agent identity, and rotate-key lets you replace a compromised or expired API key without losing access.
agentrelay audit
audit fetches events from the relay-side audit log where you are a participant — either as the actor or as a sender/recipient of the associated handoff. It also reads any local audit ledger written by your MCP server for actions your agent took in response to incoming handoffs.
Flags
Output format
When stdout is a terminal,audit renders a tab-separated table. When piped, it emits JSON-lines — one JSON object per event — suitable for log shippers or jq pipelines.
TSV format columns:
Example output showing a complete propose-action sequence:
Use cases
audit is Layer 4 of the trust model. Common queries:
Review everything Bob’s agent triggered this week:
agentrelay rotate-key
rotate-key replaces your current API key with a new one. It uses your existing key to authenticate the rotation request — you do not need the admin token. Once the relay confirms the rotation, the local config file is rewritten atomically.
What it does
1
Read current config
Loads
~/.agentrelay/config.json and extracts the current api_key and relay_url.2
Request rotation from the relay
Calls
POST /agents/me/keys/rotate with the current key as the Authorization: Bearer header. The relay atomically revokes the old key and generates a new one.3
Rewrite config atomically
Writes the new key to
~/.agentrelay/config.json via a tempfile-then-rename sequence with permissions 0600. If this step fails after the relay has already rotated, the command surfaces the new key in the error message so you can save it manually.When to rotate
- Stolen or leaked key — rotate immediately. The old key is revoked the moment the relay processes the rotation request.
- Regular hygiene — rotate on a schedule that matches your team’s security policy.
- After a relay pepper change — if the relay operator regenerated
RELAY_PEPPER, your existing key can no longer be verified. Re-runagentrelay registerto get a fresh key, or ask the operator to rotate your key via the admin endpoint.