Team Management
Kod uses token-based identity — there are no user accounts or passwords. Each person gets a token with a username and permissions, and is then added as a collaborator to the repositories they need access to.
Adding a Team Member
Section titled “Adding a Team Member”1. Create a token for the new user
Section titled “1. Create a token for the new user”As the admin, create a named token with the appropriate permissions:
kod token create alice --username alice --permissions repo:read,repo:writeThis outputs a token (e.g. kod_abc123...). This is the only time the token value is shown — copy it now.
Choose permissions based on the user’s role:
| Role | Suggested permissions |
|----------------------|-------------------------------------------------------------|
| Developer | repo:read,repo:write |
| Read-only / reviewer | repo:read |
| CI / deploy pipeline | repo:read,workflow:trigger |
| Team lead | repo:read,repo:write,collaborator:read,collaborator:write |
| Admin | admin |
See the CLI reference for the full list of available permissions.
2. Add them as a collaborator
Section titled “2. Add them as a collaborator”Grant the user access to one or more repositories:
kod repo my-project collaborator add alicekod repo another-repo collaborator add alice3. Share credentials
Section titled “3. Share credentials”Send the new user two things (through a secure channel):
- Server URL — e.g.
https://git.example.com - API token — the
kod_abc123...value from step 1
4. User configures their CLI
Section titled “4. User configures their CLI”The new user runs:
kod initThis prompts for the server URL and token, saves them to ~/.kod/config.json, and configures the Git credential helper so that git clone, git push, and git pull authenticate automatically.
For SSH Git access, the user can add a public key after kod init:
kod keys add ~/.ssh/id_ed25519.pubThey can now start working:
kod repo listkod clone my-projectcd my-project# make changes...git add . && git commit -m "My first commit"git push origin mainManaging Existing Team Members
Section titled “Managing Existing Team Members”List collaborators on a repository
Section titled “List collaborators on a repository”kod repo my-project collaborator listRemove a collaborator
Section titled “Remove a collaborator”kod repo my-project collaborator remove aliceThis revokes access to the repository. The user’s token still exists — to fully revoke all access, delete their token as well.
Revoke a user entirely
Section titled “Revoke a user entirely”# Find the token IDkod token list
# Delete itkod token delete <id>Once the token is deleted, all CLI and Git operations using it will fail immediately.
Rotate a user’s token
Section titled “Rotate a user’s token”There is no token update operation. To rotate credentials:
- Create a new token with the same username and permissions
- Share the new token with the user
- Delete the old token
- The user updates their config by running
kod initagain
How Access Control Works
Section titled “How Access Control Works”Access is determined by two things:
- Token permissions — what operations the token allows (e.g.
repo:read,repo:write) - Collaborator membership — which repositories the user’s username has been added to
Both must be satisfied for HTTP/API access. A token with repo:write permission can only push over HTTP to repositories where the associated username is listed as a collaborator.
SSH access is tied to collaborator public keys. A key can clone/push repositories where that key’s username is the repository owner or a collaborator. Anonymous SSH read access is available only when the server enables it and clients use the anonymous SSH username.
Tokens with the admin permission bypass collaborator checks and have full access to everything.