Team Management
Members
Section titled “Members”List Members
Section titled “List Members”passbox member list [options]Lists all members of a vault with their roles.
| Option | Description |
|---|---|
--vault <name> | Vault name or ID |
Add a Member
Section titled “Add a Member”passbox member add <email> [options]Invites a user to the vault. This performs a cryptographic key exchange (X25519) to securely share the vault’s encryption key with the new member.
| Option | Description |
|---|---|
--vault <name> | Vault name or ID |
--role <role> | Role: viewer, member, admin (default: member) |
passbox member add alice@example.com --vault my-app --role adminChange Member Role
Section titled “Change Member Role”passbox member role <email> <role> [options]Updates a member’s role. Requires admin or owner role. Owners cannot be demoted.
| Option | Description |
|---|---|
--vault <name> | Vault name or ID |
passbox member role alice@example.com admin --vault my-appRemove a Member
Section titled “Remove a Member”passbox member remove <email> [options]Removes a member from the vault. Requires admin or owner role.
| Option | Description |
|---|---|
--vault <name> | Vault name or ID |
passbox member remove alice@example.com --vault my-appService Tokens
Section titled “Service Tokens”Service tokens provide machine-to-machine authentication for CI/CD, scripts, and MCP servers.
List Tokens
Section titled “List Tokens”passbox token listShows all service tokens for your account.
Create a Token
Section titled “Create a Token”passbox token create --name <name> [options]Creates a new service token. The token value is shown once — save it securely.
| Option | Description |
|---|---|
--name <name> | Token name (required) |
--permissions <perms> | Comma-separated: read, write, delete (default: read) |
--vault <name> | Scope token to a specific vault |
passbox token create --name "github-actions" --permissions read# ✓ Token created: pb_abc123...# Save this token — it won't be shown again.Revoke a Token
Section titled “Revoke a Token”passbox token revoke <token-id>Permanently revokes a service token.
passbox token revoke abc123-def456Using Service Tokens
Section titled “Using Service Tokens”Set the token as an environment variable:
export PASSBOX_TOKEN=pb_abc123...passbox list # uses token auth instead of sessionOr use it in CI/CD:
# GitHub Actionsenv: PASSBOX_TOKEN: ${{ secrets.PASSBOX_TOKEN }}Roles Reference
Section titled “Roles Reference”| Role | Read Secrets | Write Secrets | Delete Secrets | Manage Members | Delete Vault |
|---|---|---|---|---|---|
viewer | Yes | No | No | No | No |
member | Yes | Yes | No | No | No |
admin | Yes | Yes | Yes | Yes | No |
owner | Yes | Yes | Yes | Yes | Yes |