> ## Documentation Index
> Fetch the complete documentation index at: https://docs.getasym.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# tokens

> Print (or rotate) a clone's programmatic-access tokens.

```bash theme={null}
asymmetric tokens <id> [options]
```

Prints the bot and user tokens for a clone's default app — the same tokens
[`spin`](/cli/spin) shows once at create time. Tokens are stored locally in
`~/.asymmetric/registry.json` (mode `0600`) so you can retrieve them any time
without re-spinning; the clone's database only ever stores hashes.

Use these as bearer tokens against the clone's REST API. See
[Apps and tokens](/templates/slack#apps-and-tokens) and
[Connect your agent](/guides/connect-agent#option-a-the-rest-api).

## Arguments

| Argument | Required | Description                  |
| -------- | -------- | ---------------------------- |
| `<id>`   | yes      | Clone id, e.g. `slack-a1b2`. |

## Options

| Option          | Default | Description                                                                 |
| --------------- | ------- | --------------------------------------------------------------------------- |
| `--json`        | off     | Output the tokens (and app/workspace ids) as JSON.                          |
| `--reprovision` | off     | Mint fresh tokens, replacing the current ones. The old tokens stop working. |

## Examples

Print the tokens:

```bash theme={null}
asymmetric tokens slack-a1b2
```

```
  slack-a1b2 tokens:
    bot token   xoxb-…
    user token  xoxp-…
    app <app-id> · workspace <workspace-id>
```

Capture one for a script:

```bash theme={null}
BOT=$(asymmetric tokens slack-a1b2 --json | jq -r .botToken)
curl -s http://127.0.0.1:3001/api/channels -H "authorization: Bearer $BOT"
```

## Rotation and recovery

`--reprovision` mints a fresh pair and revokes the old ones. Use it to:

* **rotate** a token you'd rather not keep using, or
* **recover** when the tokens weren't captured at spin time (a rare
  provisioning hiccup) — re-provisioning always returns a working pair, so a
  clone can never get stuck without usable tokens.

```bash theme={null}
asymmetric tokens slack-a1b2 --reprovision
```

```
  slack-a1b2 tokens (rotated):
    bot token   xoxb-…        # new
    user token  xoxp-…        # new
```

<Warning>
  Rotation is destructive to the old tokens — anything still using them (a running
  agent, a saved script) will start getting `401`s. Update those consumers after
  rotating.
</Warning>

## Notes

* `status` / `ls --json` **redact** these tokens; `tokens` and `spin` are the
  only commands that print them in the clear.
* Tokens carry OAuth scopes, and the Slack clone **enforces** them on both its
  REST API and its MCP surface — a request whose token lacks the required scope is
  rejected, matching real Slack. The bot and user tokens minted at provision time
  carry the app's full default scope set.