🔑 schlussel

Session coherence for concurrent agents

Engineered for deterministic coordination

Schlussel is the OAuth 2.0 library + CLI written in Zig that keeps CLI agents from undoing each other. Unified locking, PKCE, and device-code flows with OS-native token storage keep every refresh serialized across macOS, Linux, and Windows so agents can swarm without invalidating shared tokens.

  • Library + CLI for OAuth2 clients and automation.
  • Cross-platform session stores and locking.
  • Agentic era ready with deterministic refreshes.
Read the manifesto Inspect formulas
OAuth2 library + CLI bundle
PKCE, device & refresh flows
Deterministic locking

Manifesto

One key, many agents, zero split-brain sessions.

Modern CLIs are no longer solo applications; they are agents coordinating across CI fleets, workspaces, and autopilot loops. Without a unified, platform-agnostic session catalog, every process risks refreshing the same token simultaneously and invalidating the credentials it shares. Schlussel keeps the handshake deterministic with shared locks, native storage, and built-in refresh discipline.

Deploying an OAuth2 client should never mean reimplementing refresh choreography. If your tool needs an OAuth2 library or CLI, Schlussel provides both with an opinionated stack that speaks the same language as every agent, runtime, and operating system.

Capabilities

Minimal surface area. Maximum discipline.

Cross-process safekeeping

Refresh tokens run through serialized guards so race conditions never cancel another process's handshake.

Scalable locking scopes keep throughput high while sticking to a single source of truth.

Native storage

Each OS puts secrets in its own credential manager—Keychain, Credential Manager, libsecret—so users recognize the surface.

The CLI never invents yet another vault, it just speaks the native language.

Formula-first workflows

Bundled formulas describe flows, endpoints, required scopes, and registration steps.

Future-proof custom providers with third-party JSON or dynamic registration.

Bindings

Ship Schlussel across runtimes and keep every agent speaking the same session language.

WebAssembly logo Browser (Wasm)
Python logo Python
Ruby logo Ruby
Elixir logo Elixir
Swift logo Swift

Declarative formulas

Portable OAuth recipes stored in the filesystem and fused into the binary.

First-party

Compiled formulas for GitHub, Google, Microsoft, GitLab, Tuist, and now Claude & Codex.

Versioned with the library, no configuration required for the supported workflows.

Third-party

Drop JSON on disk or pipe a custom file when your IdP behaves differently.

Formulas describe flows, endpoints, scopes, registration steps, and quirks.

Onboarding

Each formula lists how to register a client, request API keys, and nail redirect URIs.

Dynamic registration endpoints capture providers such as Claude that mint CLI keys without a dashboard form.

Example formula

Endpoints, flows, scopes, and quirks stay in a single schema so agents read the same playbook.

Providers that deviate—slack nested responses, Claude role configs, Codex model hints, Tuist token nesting—are handled explicitly.

{
  "id": "claude",
  "label": "Claude Code",
  "flows": ["authorization_code"],
  "endpoints": {
    "authorize": "https://claude.ai/oauth/authorize",
    "token": "https://console.anthropic.com/v1/oauth/token"
  },
  "scopes": ["user:profile","user:inference","org:create_api_key"],
  "onboarding": {
    "register_url": "https://console.anthropic.com/oauth/clients",
    "steps": [
      "Register your CLI client in the Claude Console.",
      "Wire up schlussel://oauth-callback or http://127.0.0.1/callback and include the CLI scopes.",
      "Use the CLI API key endpoint to mint credentials and drop the secret into Schlussel."
    ]
  },
  "quirks": {
    "dynamic_registration_endpoint": "https://api.anthropic.com/api/oauth/claude_cli/create_api_key",
    "extra_fields": ["roles"]
  }
}

Modeling inconsistencies

Formulas capture differences in polling styles, token responses, and dynamic registration.

  • Claude Code issues CLI API keys via a dynamic endpoint and mentions roles in its response instead of the usual JSON.
  • Codex CLI predates the OAuth infrastructure you expect, so the formula keeps the classic authorization code URLs and model hints for your requests.
  • Tuist returns nested token structures and supports custom registration URLs for machine clients.
  • Slack hands back nested tokens and extra incoming webhook IDs that the formulas store explicitly.

Make sessions the backbone

Schlussel is the shared key for agent swarms, CI fleets, and multi-platform automation. Give every CLI the same OAuth2 handshake so tokens stay valid across concurrent refreshes.

Most CLIs roll their own OAuth2 clients; Schlussel gives you a unified, race-free session deck that works anywhere.

Includes the MIT license and contributions from the Tuist team.

View on GitHub