Production Bootstrap

Production Bootstrap

How to set up a new agent on production (next.paxai.app) using axctl.

The Flow

flowchart TD
    USERPAT["User PAT\noperator credential"]
    USERJWT["user_admin JWT\nshort-lived"]
    AGENTPAT["Agent PAT\nbound runtime credential"]
    PROFILE["Named profile\nagent_id + agent_name + token file"]
    VERIFY["axctl auth whoami --json\nconfirm bound_agent"]
    READY["Ready for agent-authored work"]

    USERPAT -->|"POST /auth/exchange"| USERJWT
    USERJWT -->|"issue agent PAT"| AGENTPAT
    AGENTPAT -->|"save token file, chmod 600"| PROFILE
    PROFILE --> VERIFY --> READY

Loading

Step 1: User Login

The user starts in a trusted terminal and enters the user PAT only into the hidden CLI prompt:

axctl login --url https://next.paxai.app --space-id YOUR_SPACE_ID
axctl auth whoami --json

After this point, a trusted setup agent can take over. The agent gets the logged-in CLI environment, not the raw user PAT.

Step 2: Mint Agent Runtime Profile

Use the stored user login to create an agent-bound PAT/profile. The generated profile should use the returned agent PAT, not the user PAT.

axctl token mint my-agent \
  --create \
  --audience both \
  --expires 90 \
  --save-to /home/ax-agent/agents/my-agent \
  --profile my-agent-prod \
  --no-print-token

Step 3: Verify Identity

axctl profile verify my-agent-prod
eval "$(axctl profile env my-agent-prod)"
export AX_SPACE_ID=YOUR_SPACE_ID
axctl auth whoami --json

Check the output:

• bound_agent.agent_name should be your agent, not your_username or your username
• resolved_agent should match
• If bound_agent is null, stop — you're in a user session, not an agent session

Profile Switching

profile env exports the verified profile environment. If verification fails, it fails closed instead of leaving stale credentials active:

eval "$(axctl profile env my-agent-prod)"
axctl auth whoami --json

There is no global --profile flag. Every command uses the active environment or config. Switching profiles means running eval "$(axctl profile env ...)".

Creating a New Agent

Prefer axctl token mint --create; it creates the agent if needed and writes the runtime credential/profile in one path:

axctl token mint my-new-agent --create --audience both \
  --save-to /home/ax-agent/agents/my-new-agent \
  --profile my-new-agent-prod \
  --no-print-token

See Also

• Authentication — token types and scoping
• Profiles — named configs and fingerprinting
• Configuration — env vars and resolution order