One identity system, two credential kinds.
GATillForge has no parallel user system — identity, roles, and SSO come from TillAuth. You reach git and the API with one of two credentials: a tfp_ token (HTTPS + API) or a registered SSH key. Both are scoped, expiring, and revocable in one place.
tfp_ tokens — the git password and API key
A tfp_ token is your credential for HTTPS git (it’s the password) and for the CLI / API. Mint one scoped to exactly what it needs and give it an expiry.
# Mint a token — read | write | admin, optionally repo-scoped, with an expiry.
tilldev forge tokens create --scope write --repo acme-api --expires 90
# → tfp_live_… (shown ONCE — copy it now)
tilldev forge tokens ls # list; secrets are never shown again
tilldev forge tokens revoke <id> # kill a token immediately| Scope | Grants |
|---|---|
read | Clone / fetch, and read the API (browse, findings, PRs). |
write | Everything read grants, plus push and PR / review writes. |
admin | Everything write grants, plus policy, tokens, keys, and mirrors. |
Add --repo <slug> to pin a token to a single repository — least authority by default. A token can never exceed the role of the member who minted it.
revoke it and mint another; revocation is immediate.SSH keys with an enforced lifecycle
For SSH git, register a public key. TillForge validates the key, records its SHA-256 fingerprint, and refuses a duplicate or a known-leaked key. Every key is scoped and must carry an expiry — there are no long-lived keys, which is exactly the control that lets SSH sit alongside HTTPS safely.
# Register an SSH public key (expiry required — no long-lived keys).
tilldev forge keys add <repo> --name laptop \
--key "ssh-ed25519 AAAA… you@host" --scope write --expires 90
tilldev forge keys ls <repo> # fingerprints, scope, expiry, last-used
tilldev forge keys revoke <repo> <id>Only the public half is ever stored. Keys are listed with their fingerprint, scope, expiry, and last-used time, and revoke is instant. Use these with the SSH clone URL.
Roles govern git and the API alike
Membership and roles are TillAuth’s — an org has owners, admins, developers, and viewers, and that role governs both what a session can do in the dashboard and what a tfp_ token or SSH key can do at the git boundary.
| Role | Can |
|---|---|
| owner | Everything — including transfer / delete, and approving dangerous actions. |
| admin | Manage repos, branch policy, tokens, keys, mirrors, and AI egress policy. |
| developer | Push (within policy), open and review PRs, read everything in the org. |
| viewer | Clone / fetch and read the dashboard — no writes. |
Authorization is 404-not-403: a request for a repo outside your org resolves to a not-found, never a permission leak. Every high-privilege action — a force-push to a protected branch, a policy change, minting a token — is append-only audited (read it with tilldev forge audit).
Next: Branch protection for what these credentials are allowed to do at the push boundary, or the CLI reference. Back to the TillForge overview.