Start with the app, organize your vault, control CLI access, review Access Center activity, and connect browser autofill without sending your secrets to a cloud service.
Authsia works offline and stores vault data locally through Apple security services.
Download Authsia for Mac, move it to /Applications,
and launch it once. This registers the local bridge and SSH agent helpers used by terminal and browser workflows.
Add OTP accounts, passwords, certificates, notes, or SSH keys from the app. Use folders for teams, projects, and environments so CLI and agent access can be granted narrowly later.
CLI and browser workflows require the global CLI Access setting plus each item's own CLI toggle. Keep sensitive items disabled when they should stay app-only.
Treat folders and item toggles as your main safety controls.
Put related secrets in folders like Team/API
or Production. Authsia can resolve and display
exactly which folder was granted temporary access.
Disable CLI access on items that should never leave the app. List, CLI, browser, automation, and just-in-time agent flows all respect that item-level toggle.
Store authsia:// references in scripts and
templates instead of plaintext secrets. The reference is safe to inspect; the secret resolves only at approved runtime.
Normal Git and SSH access should use Authsia's built-in SSH agent. It signs with vault keys without copying private keys into long-lived shell environments.
Review who can use the vault from terminal, agent, and automation workflows.
Agent JIT grants show the resolved folder, exact requested vault items, requester identity, terminal status, expiration, and revoke controls. Expired grants remain visible for review, but revoke is only available while access is still active.
Enable the human-session toggle to see active terminal sessions and historical CLI activity beside agent grants. Use revoke controls to end active human CLI sessions from the app.
The top-level insight view summarizes recent access by item and folder. Click a row to focus the grants and activity list on that item or folder.
Keep plaintext secrets out of prompts, diffs, command history, and terminal output observed by coding agents.
Store authsia://
references in files that agents can read or edit. Resolve those references only when launching
a trusted command with authsia exec.
# .env - safe for agents to inspect API_KEY=authsia://password/GitHub/password # Runtime resolution authsia exec --env-file .env -- npm start
The human unlocks Authsia in the terminal, or provides a scoped automation credential for
background work. The agent must stop when access is missing and must not fall back to
plaintext commands such as authsia get,
read, load,
or inject.
Authsia can prompt the human in Access Center for short-lived, exact-folder
exec and scoped list
access. If approval is denied or expires, the agent stops instead of trying another
plaintext path.
The CLI guide contains copyable prompts for both modes: standard/no-JIT and Access Center JIT.
Put the matching prompt in AGENTS.md,
CLAUDE.md, .cursor/rules,
.windsurfrules, or Copilot instructions.
Password autofill works locally through the Authsia app and Chrome extension. Add a website URL to the password item and keep CLI access enabled for that item so it can appear in browser suggestions.
/Applications and launched once.
Use the CLI guide when you need command examples, shell integration, agent-safe
exec, SSH adoption,
automation credentials, audit export, or troubleshooting commands.
Status
Run authsia status to check the bridge, shell, session,
and SSH agent state.
Diagnostics
Run authsia doctor when a command cannot connect or setup looks stale.
Lock
Run authsia lock or revoke from Access Center to end active sessions.