Auth And Config Recovery¶
Purpose¶
Use this guide when login works on one machine but not another, a support run uses the wrong Bullpen profile, copied credentials fail to decrypt, or auth diagnostics mention missing local credential files. Start with read-only diagnostics and generated command references before removing local state.
This guide covers local auth and profile recovery only. It does not repair server-side account, KYC, wallet-routing, or funds state.
Before You Start¶
- Run every command from the same shell, machine, and Bullpen account that saw the failure.
- Do not delete
~/.bullpenas the first recovery step. It can remove config, logs, local keys, and wallet-routing evidence. - Do not copy or paste private keys, seed phrases, JWTs, API tokens,
credentials.json.enc, or full config files into support tickets. - Set both
BULLPEN_HOMEandBULLPEN_CONFIGwhen isolating a support or CI profile. Setting only one can mix credentials from one profile with config from another.
Safe First Command¶
Run auth and config diagnostics before login or local reset. Both commands are read-only.
doctor auth reports token health, onboarding state, wallet readiness, local
credential-file health, and a credential_storage object. The storage object
is non-mutating and helps support distinguish encrypted credentials, legacy
plaintext credentials, both files, no local credentials, and ephemeral test
stores without decrypting or rewriting local auth files. config show reports
effective config without printing secrets. See the generated
doctor auth and
config show references for exact flags.
A logged-in session is three credentials with different lifetimes: the JWT
access token (~15 minutes, auto-refreshed), the refresh token (~30 days), and
the signing session (~7 days). A normal access-token expiry should refresh
automatically. Run bullpen login only when diagnostics report that the refresh
token was rejected or the signing session must be renewed. Do not delete local
state unless the CLI explicitly identifies unrecoverable credential storage.
If a command fails during a transient refresh, run bullpen fix --refresh once
and follow its single next action.
Newer builds also include nullable session_recovery metadata on
bullpen status --output json and bullpen doctor auth --output json.
When it is present, branch on session_recovery.code, requires_login,
safe_to_retry, and next_command. Do not start login, forced logout, or file
cleanup from prose alone.
Example output
{
"status": "error",
"error_code": "AUTH_REAUTHENTICATION_REQUIRED",
"credentials_valid": true,
"token_valid": false,
"token_expires_in_secs": null,
"refresh_token_expires_in_secs": null,
"keypair_valid": true,
"wallet_ready": false,
"trade_auth_state": "reauthentication_required",
"trade_auth_blocked": true,
"trade_auth_blocker_reason": "No local Bullpen session is available.",
"turnkey_signing_session_present": true,
"turnkey_signing_session_expired": true,
"session_recovery": {
"state": "login_required",
"code": "auth_login_required",
"requires_login": true,
"safe_to_retry": false,
"next_command": "bullpen login"
},
"remediation": {
"action": "reauthenticate",
"command": "bullpen login",
"message": "Refresh local Bullpen and Turnkey credentials, then retry the real trade."
}
}
If the issue involves a copied headless profile, run the deployment diagnostic from the destination machine too.
See the generated
doctor deploy-auth reference.
Choose The Recovery Path¶
Use the smallest recovery action that matches the diagnostic result.
| Diagnostic result | Next safe action |
|---|---|
| You are not logged in, the device code expired, or the browser did not open | Run bullpen login or bullpen login --no-browser. |
You were away and signing/trading now fails, or turnkey_signing_session_expired is true |
Run bullpen login to mint a fresh session. The refresh token (~30 days) or Turnkey signing session (~7 days) expired. Do not delete ~/.bullpen first. |
credentials.json.enc or credential_salt.bin is missing or corrupt |
Run bullpen login; it moves unreadable local auth files aside and starts a fresh session. Run bullpen doctor auth --output json first if you need support to inspect copied-home state. |
| You choose to reset unrecoverable local auth state | Run bullpen logout --force && bullpen login as the last-resort local reset. |
doctor auth says local keypair repair is applicable |
Run bullpen doctor auth --repair --yes only after saving the read-only JSON. |
| The command is using the wrong account, environment, or config file | Create or inspect an isolated profile with both BULLPEN_HOME and BULLPEN_CONFIG. |
| A partial copied credential bundle, changed absolute home, or username mismatch is blocking unattended deployment | Restore the complete source bundle or re-login on the destination machine; do not keep copying partial auth files. |
For copied homes, confirm that credentials.json.enc, credential_salt.bin,
and keys/ came from the same source profile. Use the same absolute
BULLPEN_HOME and the same BULLPEN_USERNAME_OVERRIDE on both machines, then
run bullpen doctor deploy-auth --output json on the destination host before
running unattended commands.
Use a local persistent filesystem for copied-home auth. NFS mounts,
cloud-synced folders, and container volumes are not validated for release by the
source tests alone. doctor deploy-auth and the read-only auth smoke are
necessary diagnostics for that exact runtime, not proof that every
NFS/cloud-sync/container lock and fsync behavior is safe. If the path, username
component, or bundled files differ, create a fresh login on the destination host
instead of trying to repair pieces independently.
Use the generated login,
logout, and
doctor auth references before running a
destructive reset.
For deterministic CI or release smoke runs, set
BULLPEN_DISABLE_UPDATE_CHECK=1 before read-only diagnostics. This disables the
background update-check cache write only; it does not change credential loading,
refresh, or trading behavior.
Isolate A Support Profile¶
Create a profile that keeps config, credentials, and logs together. This does
not touch the default ~/.bullpen profile.
export BULLPEN_HOME="$PWD/.bullpen-support-home"
export BULLPEN_CONFIG="$BULLPEN_HOME/config.toml"
mkdir -p "$BULLPEN_HOME"
bullpen config init
bullpen config show --output json
Label: configure. config init writes a local config file in the isolated
profile. It does not log in or move funds. If BULLPEN_CONFIG points to a
missing file, Bullpen fails closed instead of silently using the default
profile.
After config show confirms the expected path, log in to that profile.
Use --no-browser when the login browser is on a different machine or when you
need to copy the device-code URL into an existing browser session.
Local Reset Boundaries¶
Local reset commands only affect files on the current machine and profile. They do not repair server-side account state, wallet routing, missing deposits, or trading permissions.
Run a normal logout when the credential store is readable.
Label: destructive local reset. This removes local credentials for the active profile.
Use forced logout only as a last-resort local reset after bullpen login cannot
move unreadable local auth aside or support asks for a full local reset.
Label: destructive local reset. This clears local auth files before a fresh
login. Keep doctor auth --output json output before running it when possible.
When you need a support-safe machine-readable reset report, use
bullpen logout --force --output json. The JSON report returns top-level
server_warning and force_wipe fields, redacts local absolute paths, and
marks the reset as destructive.
Use auth repair only when the diagnostic output names that repair.
Label: destructive, support-facing. This backs up and removes a corrupt
local keypair file when doctor auth says the repair is applicable. It is not
the generic fix for missing encrypted credentials or missing salt files.
Support Capture¶
For support tickets, include sanitized output from the failing profile:
bullpen --version
bullpen status --output json
bullpen doctor auth --output json
bullpen config show --output json
If the issue involves copied credentials or a headless host, include:
Do not attach secrets, full config files, full logs, credential files, key directories, JWTs, or private keys. If support needs wallet-routing or funds evidence too, switch to the Wallet Routing And Funds Recovery guide.