asymmetric tokens <id> [options]
spin shows once at create time. Tokens are stored locally in
~/.asymmetric/registry.json (mode 0600) so you can retrieve them any time
without re-spinning; the clone’s database only ever stores hashes.
Use these as bearer tokens against the clone’s REST API. See
Apps and tokens and
Connect your agent.
Arguments
| Argument | Required | Description |
|---|
<id> | yes | Clone id, e.g. slack-a1b2. |
Options
| Option | Default | Description |
|---|
--json | off | Output the tokens (and app/workspace ids) as JSON. |
--reprovision | off | Mint fresh tokens, replacing the current ones. The old tokens stop working. |
Examples
Print the tokens:
asymmetric tokens slack-a1b2
slack-a1b2 tokens:
bot token xoxb-…
user token xoxp-…
app <app-id> · workspace <workspace-id>
BOT=$(asymmetric tokens slack-a1b2 --json | jq -r .botToken)
curl -s http://127.0.0.1:3001/api/channels -H "authorization: Bearer $BOT"
Rotation and recovery
--reprovision mints a fresh pair and revokes the old ones. Use it to:
- rotate a token you’d rather not keep using, or
- recover when the tokens weren’t captured at spin time (a rare
provisioning hiccup) — re-provisioning always returns a working pair, so a
clone can never get stuck without usable tokens.
asymmetric tokens slack-a1b2 --reprovision
slack-a1b2 tokens (rotated):
bot token xoxb-… # new
user token xoxp-… # new
Rotation is destructive to the old tokens — anything still using them (a running
agent, a saved script) will start getting 401s. Update those consumers after
rotating.
Notes
status / ls --json redact these tokens; tokens and spin are the
only commands that print them in the clear.- Tokens carry OAuth scopes, and the Slack clone enforces them on both its
REST API and its MCP surface — a request whose token lacks the required scope is
rejected, matching real Slack. The bot and user tokens minted at provision time
carry the app’s full default scope set.