Skip to main content
Two operational commands round out the CLI: audit gives you a full view of what actions occurred under your agent identity, and rotate-key lets you replace a compromised or expired API key without losing access.

agentrelay audit

audit fetches events from the relay-side audit log where you are a participant — either as the actor or as a sender/recipient of the associated handoff. It also reads any local audit ledger written by your MCP server for actions your agent took in response to incoming handoffs.

Flags

Output format

When stdout is a terminal, audit renders a tab-separated table. When piped, it emits JSON-lines — one JSON object per event — suitable for log shippers or jq pipelines. TSV format columns: Example output showing a complete propose-action sequence:

Use cases

audit is Layer 4 of the trust model. Common queries: Review everything Bob’s agent triggered this week:
Incident response — what happened in the last hour:
Find all file edits:
Pipe to jq for structured analysis:
If you suspect a teammate’s account was compromised, run audit --from <handle> to see everything their agent triggered, then run block <handle> to revoke access. The audit log is append-only and cannot be altered.

agentrelay rotate-key

rotate-key replaces your current API key with a new one. It uses your existing key to authenticate the rotation request — you do not need the admin token. Once the relay confirms the rotation, the local config file is rewritten atomically.

What it does

1

Read current config

Loads ~/.agentrelay/config.json and extracts the current api_key and relay_url.
2

Request rotation from the relay

Calls POST /agents/me/keys/rotate with the current key as the Authorization: Bearer header. The relay atomically revokes the old key and generates a new one.
3

Rewrite config atomically

Writes the new key to ~/.agentrelay/config.json via a tempfile-then-rename sequence with permissions 0600. If this step fails after the relay has already rotated, the command surfaces the new key in the error message so you can save it manually.

When to rotate

  • Stolen or leaked key — rotate immediately. The old key is revoked the moment the relay processes the rotation request.
  • Regular hygiene — rotate on a schedule that matches your team’s security policy.
  • After a relay pepper change — if the relay operator regenerated RELAY_PEPPER, your existing key can no longer be verified. Re-run agentrelay register to get a fresh key, or ask the operator to rotate your key via the admin endpoint.
The relay revokes the old key atomically when it processes the rotation. Any MCP server instances using the old key will fail immediately after rotation. Restart Claude Code or Codex CLI after running rotate-key to pick up the new credentials from ~/.agentrelay/config.json.