Skip to main content

Overview

The applad CLI uses SSH keys as the identity system. Every developer registers their public key. Every CLI command, every UI session, and every applad instruct action is attributed to a key fingerprint in the audit trail.

Organization Management

applad orgs list

Lists all organizations on this instance with their IDs, names, member counts, and project counts. 
applad orgs list

applad orgs create

Creates a new organization. Scaffolds the org directory at orgs/<org-name>/org.yaml with default roles, an empty ssh_keys list, and a generated .env.example. 
applad orgs create --name "Acme"

applad orgs delete

Permanently deletes an organization and all its projects, data, and infrastructure configuration. Irreversible. Will prompt for confirmation. 
applad orgs delete <org-id>

applad orgs switch

Sets the active organization context for all subsequent commands. Most commands that accept --org default to whichever org you’ve switched to here. 
applad orgs switch <org-id>

Member Management

applad orgs members list

Lists all members of an org — their identities, roles, and registered SSH key labels. Reads from the runtime database where member records are stored. 
applad orgs members list <org-id>

applad orgs members invite

Sends an invitation to the given email address to join the org with the specified role. The invited developer will need to register their SSH public key when they accept the invitation. 
applad orgs members invite <org-id> \
  --email [email protected] \
  --role developer

applad orgs members remove

Removes a member from an org. Does not delete their data or audit trail entries — those are preserved. If they have an SSH key registered, it is automatically revoked. 
applad orgs members remove <org-id> <user-id>

applad orgs members role

Changes a member’s role within an org. Role changes take effect immediately and are recorded in the audit trail. 
applad orgs members role <org-id> <user-id> --role admin

SSH Key Management

SSH keys are the identity system in Applad. Every developer registers their public key. Every CLI command, every UI session, and every applad instruct action is attributed to a key fingerprint in the audit trail. Private keys never leave the developer’s machine — Applad only stores and uses public keys.

applad orgs keys list

Lists all SSH keys registered to an org — their labels, fingerprints, associated identities, roles, and permission scopes. 
applad orgs keys list <org-id>

applad orgs keys add

Registers a new SSH public key for an org member. The key file should be the .pub file — the public half of an SSH keypair. Applad reads the public key, computes its fingerprint, and adds it to org.yaml under ssh_keys. The developer’s private key never leaves their machine. 
applad orgs keys add <org-id> \
  --label "alice@macbook-pro" \
  --key "~/.ssh/id_ed25519.pub"

applad orgs keys revoke

Revokes a registered SSH key by its fingerprint. Any in-progress operations using this key are rejected immediately. The key’s historical audit trail entries are preserved — revocation does not erase history. Use this when a developer leaves or a key is compromised. 
applad orgs keys revoke <org-id> \
  --fingerprint "SHA256:abc123..."

applad orgs keys rotate

Replaces an existing key with a new one while preserving the developer’s identity and full audit history. The old key is revoked and the new key is linked to the same identity, so audit trail entries before and after rotation are all traceable to the same person. 
applad orgs keys rotate <org-id> \
  --old "SHA256:abc123..." \
  --new "~/.ssh/id_ed25519_new.pub"

applad orgs keys create-deployment

Creates a scoped deployment key for use in CI/CD pipelines (GitHub Actions, GitLab CI, etc.). Unlike developer keys which have broad access, deployment keys have explicitly limited permissions defined by --scopes. They appear distinctly in the audit trail as automated actions rather than human actions, making it easy to distinguish what a person did from what a pipeline did. 
applad orgs keys create-deployment <org-id> \
  --label "ci-github-actions" \
  --scopes "deployments:run,functions:deploy"

Examples

Create and configure a new organization

# Create the organization
applad orgs create --name "Acme Corp"

# Add your SSH key
applad orgs keys add org_abc123 \
  --label "alice@macbook-pro" \
  --key "~/.ssh/id_ed25519.pub"

# Invite a team member
applad orgs members invite org_abc123 \
  --email [email protected] \
  --role developer

Rotate a compromised SSH key

applad orgs keys rotate org_abc123 \
  --old "SHA256:old_fingerprint..." \
  --new "~/.ssh/id_ed25519_new.pub"

Create a CI/CD deployment key

applad orgs keys create-deployment org_abc123 \
  --label "github-actions-production" \
  --scopes "deployments:run,functions:deploy"

Revoke access for a departing team member

# Remove from org
applad orgs members remove org_abc123 user_xyz789

# Their SSH key is automatically revoked

Build docs developers (and LLMs) love

Get started for freeTalk to us