Access
Agent setup and guidance
Connect agents safely with browser approval, use Agent Key provisioning only when needed, and keep secret use on the run-first path.
Updated May 23, 2026
Agent setup starts with OAuth Connect. The agent runs scopehold connect, relays the verification URL and code, then a human approves the browser screen to select or create the agent identity, assign projects, grant only the secrets it needs, and choose the token lifetime.
Choose a setup path
- 1Use OAuth Connect by defaultThe CLI prints the approval URL and code first, then stores the approved connection in a named local profile. Agents should relay the URL and code immediately, never silently wait for approval. For one-off commands, use inline --secret mappings. For repeated workflows, use .scopehold.json mappings.
- 2Keep Agent Key provisioning advancedAgent Key provisioning remains available for CI, scripts, no-browser agents, or older CLI versions. Use it only when browser approval is not possible.
- 3Use the assigned profileAgents should use the exact ScopeHold profile created by connect or provisioning. Project .scopehold.json files should stay agent-agnostic and should not commit one local agent profile by default.
ScopeHold Agent Guidance endpoint
Agents can fetch current guidance from https://api.scopehold.com/agent-guidance. The root endpoint returns the generic Markdown variant. Explicit variants are available with target=generic, target=claude, target=codex, or target=cursor.
- generic
- Plain Markdown guidance for any runtime or prompt-based agent.
- claude
- The same guidance packaged as SKILL.md-style content for runtimes that consume Claude-style skills.
- codex
- The same guidance packaged as SKILL.md-style content with Codex-oriented install hints.
- cursor
- The same guidance packaged as Cursor rule content for .cursor/rules/scopehold-agent.mdc or equivalent Cursor settings.
Project .scopehold.json
- .scopehold.json may store shared non-secret context such as apiUrl, workspaceSlug, projectSlug, and environment-variable mappings.
- .scopehold.json must not store Agent Keys, local CLI profile names, provider secret values, OAuth credentials, database URLs, or credential payloads.
- CLI profiles are local agent identity. Agents should use the assigned profile with --profile instead of committing one profile into project config.
- For one-off commands, use scopehold run --profile <assigned-profile> --secret VAR=provider/name[:field] -- <command>. Requires ScopeHold CLI 0.4.0 or newer; if --secret is unavailable, run npm install -g @scopehold/cli@latest.
- For repeated workflows, use .scopehold.json mappings and scopehold run --profile <assigned-profile> -- <command> (exec remains a supported alias) so resolved values do not need to be written into project files.
- When a project needs a new env-var mapping, agents should inspect inventory with the assigned profile, copy exact provider/name identifiers and supported field names from credentialFields, update only the non-secret mapping, and validate without printing secrets.
- API key mappings should specify the exact field needed. Use field: "value" for the key value and field: "referenceId" when inventory lists it and the provider also requires a key ID, client ID, account ID, or access key ID.