BitterPass
Open consoleRequest access

00 / CLI setup

Set up the BitterPass CLI.

A short, honest path for first-time operators. The full CLI walkthrough arrives with your access invitation, since runner enrollment is gated on operator approval. Below is what to expect at each step.

Request accessOpen consoleBack to overview ←

01 / The path

Five steps from request to first scoped pull.

01

Request access.

Tell us what your agents touch, what approval still needs a human, and what credential pattern you are replacing. Reviews are manual on purpose — the point is signal, not volume.

02

Operator review and pairing approval.

Approved invitations include the current CLI release notes, the console pairing steps, and the runner-enrollment walkthrough. The detailed commands live with the invitation, not in public marketing.

03

Pair the console with a passkey.

WebAuthn gates the operator surface. You register a passkey on the device you plan to use, and the session never leaves the browser as a reusable URL or magic link.

04

Enroll a runner identity.

Each runner gets its own Ed25519 keypair. The walkthrough covers generating the identity on the runner host, registering it with the operator, and confirming the first scoped pull.

05

Each run receives one scoped bundle.

Runners do not get a permanent token. They authenticate, receive only what the run should see, and the audit chain records which agent touched which secret.

02 / What to expect

The invitation carries the detail.

Public marketing keeps the architecture visible. Specific CLI commands, release versions, and pairing tokens live with the access invitation so the enrollment surface stays narrow.

Manual approval

Access is gated by an operator review. There is no self-serve signup queue.

Invitation contents

Console pairing steps, the current CLI release, runner-enrollment walkthrough, and recovery code generation.

Operator-held recovery

You generate and hold the recovery material. The service does not custody the root of trust.

03 / Next

Pick the path that matches where you are.

If you have not been invited yet, the request form on the home page is the entry. If you already received an invitation, the console is the next surface.

Not invited yet

Open the request form on the home page and describe the live surface you need to protect.

Request access →

Already invited

Open the console at app.bitterpass.com and finish pairing with the passkey on your registered device.

Open console →

Need help

Reach BitterDesk if your invitation is missing, your pairing fails, or you need an operator to look at a stalled enrollment.

bitterdesk.com →