Sign in & get an API key
Your first step is to sign into the Subak web app and obtain a credential the CLI can use. There are two credential types — a short-lived bootstrap token and a permanent API key — and this page covers both.
Sign in with a magic link
Open the web app at https://app.subak.ai.
You'll see a single card titled "Sign in or create an account to access your projects" with one email field and one button:
- Enter your email address.
- Click Send me a sign-in link.
- Check your inbox and click the sign-in link. It takes you back to the app, already signed in.
The same button works whether you're a brand-new user or returning — your account is created the first time the system sees your email. Each link is single-use; request a fresh one if you need to sign in again.
Magic link is the only enabled sign-in method right now. You may see references to Google or password sign-in elsewhere, but those paths are switched off in the current app — use the magic link.
When you land in an empty workspace (no projects yet), the app shows an onboarding walkthrough. That walkthrough is the easiest way to get a CLI credential, described next.
Get a credential for the CLI
The CLI needs a credential to talk to the Subak service. You can get one two ways. Most new users should use the bootstrap path (a); the manual API-key path (b) is there for CI, a second machine, or when you'd rather manage keys explicitly.
(a) Bootstrap token — the onboarding walkthrough
The onboarding walkthrough auto-mints a single-use bootstrap token for you and presents a ready-to-paste command that installs the CLI and logs in. You don't have to visit any settings page.
-
The token looks like
wpkx_live_…and is short-lived (roughly a 20-minute time-to-live). The walkthrough re-mints it automatically as it nears expiry. -
The walkthrough shows a combined install-and-login command. You'll run it in the next step; it looks like:
curl -sSfL https://subak.ai/install.sh | sh && subak login --bootstrap wpkx_live_<token> -
Behind the scenes, the CLI redeems the bootstrap token once and receives a permanent API key, which it stores for you. The bootstrap token itself can't be reused after that.
The bootstrap token is a one-time, short-lived hand-off from the app to the CLI. You never have to copy or store it long-term — the CLI exchanges it for a permanent key automatically.
(b) API key — Settings → API Keys
For a permanent credential you manage yourself, generate an API key:
- Go to Settings → API Keys (
/settings/api-keys). - Optionally enter a Device label (for example
laptoporci-runner; it defaults toCLI). - Click Generate key.
The raw key is shown exactly once, in a modal, with a copy button and a ready-to-paste command:
subak login --key wpk_live_<key>
Copy the key immediately — Subak never shows it again. An API key looks like wpk_live_….
As the API Keys page notes: these keys identify you, not a workspace. The CLI uses them to act on every workspace you belong to. Treat them like passwords. The page also lists your existing keys by device, prefix, and state, with a Revoke action.
Bootstrap token vs. API key
Bootstrap token (wpkx_live_…) | API key (wpk_live_…) | |
|---|---|---|
| Lifetime | Short (~20 min) | Permanent (until revoked) |
| Uses | Single-use | Reusable |
| How you get it | Auto-minted by the onboarding walkthrough | Generated manually in Settings → API Keys |
| Best for | First-time onboarding (happy path) | CI, a second machine, explicit key management |
| Login flag | subak login --bootstrap … | subak login --key … |
Both end with the CLI holding a permanent API key. Once you have a credential, continue to Install & authenticate the CLI.
Join or create a workspace
A workspace is the tenant that owns your projects: every project — and the artifacts inside it — lives under exactly one workspace, and you can belong to more than one. Signing in with the magic link only authenticates you; right after your first sign-in you don't have a workspace yet. You get one of two ways.
Create a workspace. On the Workspaces screen in the app, give your new workspace a name (a URL-friendly slug is derived from it for you). You become its owner. This is the path for the first person on a team.
Accept an invitation. If a teammate already has a workspace, an owner or admin can invite your email address and assign you a role. You receive an invitation link; opening it (while signed in) accepts the invitation and joins you to that workspace.
Workspaces have three roles — owner, admin, and member — and membership is managed per workspace from its Members screen. Owners and admins can invite people (as members or admins; the owner role is held by the workspace creator and isn't something you invite into). Once you belong to at least one workspace, the CLI can select it — see Install & authenticate the CLI.