Synsci CLI does the credential plumbing so you don’t have to. Tokens for Hugging Face, Weights & Biases, Modal, Lambda Cloud, AWS, and GCP are stored in your dashboard, pulled at session start, held in process memory only, and injected into subprocesses when the agent runs commands that need them. Nothing is written to disk.

Supported providers

  • Hugging Face. HF_TOKEN, read and write to private models, datasets, and Spaces.
  • Weights & Biases. WANDB_API_KEY, log training runs, sweeps, and artifacts.
  • Modal. MODAL_TOKEN_ID and MODAL_TOKEN_SECRET, launch sandboxed jobs.
  • Lambda Cloud. LAMBDA_API_KEY, request and manage on-demand GPU instances.
  • AWS. AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, full AWS SDK reach.
  • GCP. GOOGLE_APPLICATION_CREDENTIALS (path to a JSON key), full GCP SDK reach.

How sync works

1

Add credentials to your dashboard

Sign in to cli.syntheticsciences.ai and paste your tokens into the Credentials panel. Each provider has its own slot; you only fill in the ones you need. The dashboard encrypts them at rest and scopes them to your account.
2

Connect the CLI

Run synsc connect login once. The CLI receives a Bearer token that authenticates against your dashboard for credential and credit operations. Re-running login is only necessary if the Bearer token expires or you log out.
3

Credentials sync at session start

Each time you launch synsc, the CLI fetches your latest credentials from the dashboard over an authenticated channel. The values are held in process memory for the lifetime of the session.
4

Subprocesses get filtered envs

When the agent runs a shell command (bash, python, git, anything), the relevant credentials are injected as environment variables into that subprocess only. Provider keys that the command doesn’t need are filtered out, see Security for the filtering policy.

Updating a credential

To rotate a token:
  1. Update it in the dashboard.
  2. Run synsc connect status (or restart your session) to pick up the new value.
You don’t need to edit any local config, the dashboard is the source of truth.

What “in-memory only” means

Credentials never touch disk. Specifically:
  • No config files. The CLI does not write ~/.aws/credentials, ~/.cache/huggingface/token, or any other provider config file.
  • No shell history leakage. The agent doesn’t export HF_TOKEN=... in your interactive shell. The token only enters subprocess envs.
  • No process memory dumps. When the session ends (you exit the CLI, the process dies), the credentials are gone.
This is by design. The dashboard is the persistent layer; the CLI is a stateless consumer.

Output redaction

Even though credentials only enter subprocess envs, sometimes a command echoes one back, for example, printenv or a curl debug log. Synsci CLI runs an output filter that replaces any synced credential with [REDACTED] before the line reaches your terminal. 
> @build run printenv | grep TOKEN
HF_TOKEN=[REDACTED]
WANDB_API_KEY=[REDACTED]
The redaction is purely client-side; it has no effect on the actual subprocess, so the command still works. It’s just to prevent accidental disclosure in your terminal scrollback or when you screenshot a session.

Per-user isolation

Credentials are scoped to your account. The dashboard uses Supabase Row-Level Security and Bearer-token auth so that even if two CLI users share the same machine, they can’t read each other’s credentials. If you’re on a shared workstation, run synsc connect logout when you’re done to invalidate the local Bearer token before stepping away.

Bring-your-own-key alternative

If you’d rather not store a credential in the dashboard at all, for instance, if your organization restricts where AWS keys can live, set the env var directly in your shell before launching synsc: 
export AWS_ACCESS_KEY_ID=AKIA...
export AWS_SECRET_ACCESS_KEY=...
synsc
The CLI reads existing env vars at startup and won’t overwrite them with synced values. You give up the convenience of dashboard rotation, but the credential never leaves your machine.

What’s next

  • Security model. The full credential boundary, output redaction, and device-flow auth.
  • Web UI. Manage credentials from inside the recommended interface.