Auth & access

Two ways into Lithify. People sign in with a magic link sent to their email. Machines (your apps, scripts, model agents) authenticate with API keys. Both can be revoked instantly.

Signing in

1. Visit /login and enter your email.
2. Lithify emails you a one-time link.
3. Clicking the link signs you in.

No passwords to set, no accounts to "create" — if your workspace has approved your email, the link works; if it hasn't, you'll see a clear message rather than a vague error.

API keys

API keys belong to a project, not to a user. You can mint and revoke them under Project → Settings → Machine Access.

• Each key has a name for your own bookkeeping.
• Each key has one or more scopes that say what it's allowed to do.
• The full key is shown once, when you create it. Save it somewhere safe; if you lose it, mint a new one and revoke the old.
• Revocation is instant — the next request the revoked key makes will be rejected.

What's recorded

• Every API request records which key was used and what it called.
• Every change to a brief records who made it (a person, or one of the agents).
• Every agent run is on the brief's timeline with its inputs and outputs.