TILLFORGE · ACCESS

One identity system, two credential kinds.

GA

TillForge has no parallel user system — identity, roles, and SSO come from TillAuth. You reach git and the API with one of two credentials: a tfp_ token (HTTPS + API) or a registered SSH key. Both are scoped, expiring, and revocable in one place.

01Tokens

tfp_ tokens — the git password and API key

A tfp_ token is your credential for HTTPS git (it’s the password) and for the CLI / API. Mint one scoped to exactly what it needs and give it an expiry.

bash
# Mint a token — read | write | admin, optionally repo-scoped, with an expiry.
tilldev forge tokens create --scope write --repo acme-api --expires 90
# → tfp_live_…   (shown ONCE — copy it now)

tilldev forge tokens ls               # list; secrets are never shown again
tilldev forge tokens revoke <id>      # kill a token immediately
ScopeGrants
readClone / fetch, and read the API (browse, findings, PRs).
writeEverything read grants, plus push and PR / review writes.
adminEverything write grants, plus policy, tokens, keys, and mirrors.

Add --repo <slug> to pin a token to a single repository — least authority by default. A token can never exceed the role of the member who minted it.

Shown once · stored hash-only · MFA-at-mint
The token secret is printed one time and stored as a hash — it cannot be recovered or re-displayed. Minting a token can require a fresh MFA check, and the mint is recorded in the audit log. Lost a token? revoke it and mint another; revocation is immediate.
02SSH keys

SSH keys with an enforced lifecycle

For SSH git, register a public key. TillForge validates the key, records its SHA-256 fingerprint, and refuses a duplicate or a known-leaked key. Every key is scoped and must carry an expiry — there are no long-lived keys, which is exactly the control that lets SSH sit alongside HTTPS safely.

bash
# Register an SSH public key (expiry required — no long-lived keys).
tilldev forge keys add <repo> --name laptop \
  --key "ssh-ed25519 AAAA… you@host" --scope write --expires 90
tilldev forge keys ls <repo>          # fingerprints, scope, expiry, last-used
tilldev forge keys revoke <repo> <id>

Only the public half is ever stored. Keys are listed with their fingerprint, scope, expiry, and last-used time, and revoke is instant. Use these with the SSH clone URL.

03Roles

Roles govern git and the API alike

Membership and roles are TillAuth’s — an org has owners, admins, developers, and viewers, and that role governs both what a session can do in the dashboard and what a tfp_ token or SSH key can do at the git boundary.

RoleCan
ownerEverything — including transfer / delete, and approving dangerous actions.
adminManage repos, branch policy, tokens, keys, mirrors, and AI egress policy.
developerPush (within policy), open and review PRs, read everything in the org.
viewerClone / fetch and read the dashboard — no writes.

Authorization is 404-not-403: a request for a repo outside your org resolves to a not-found, never a permission leak. Every high-privilege action — a force-push to a protected branch, a policy change, minting a token — is append-only audited (read it with tilldev forge audit).

SSO & SCIM are a later phase
OIDC SSO and SCIM auto-provisioning / deprovisioning flow from TillAuth and are on the enterprise roadmap; today you manage members and roles directly in the workspace. The offboarding action that revokes a member’s keys, tokens, and sessions in one step lands with SCIM.

Next: Branch protection for what these credentials are allowed to do at the push boundary, or the CLI reference. Back to the TillForge overview.