> ## Documentation Index
> Fetch the complete documentation index at: https://docs.openbug.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Identity and Access Management

> Configure service-level permissions, environment-specific access patterns, and API key security.

#### Per-service access flags (`openbug.yaml`)

Each service has an `openbug.yaml` with two key flags:

* `logs_available` (boolean)
  * If `true`, the AI can call log tools for this service: `read_logs`, `tail_logs`, `grep_logs`, `get_recent_errors`.
  * If `false`, these tools are denied, and the AI can only work with log text embedded directly in your question.
* `code_available` (boolean)
  * If `true`, the AI can call code tools for this service: `read_file`, `grep_search`.
  * If `false`, these tools are denied, and the AI cannot read or search your codebase for that service.

When a tool call arrives from the OpenBug debugging service, the CLI checks these flags:

* If access is allowed, the tool runs locally and the result is sent back.
* If access is denied, the CLI posts a denial message instead of running the tool, and the AI continues with limited context.

#### Environment-specific patterns

You can use the same project `id` across environments but tune flags per service:

* **Development**
  * Typical: `logs_available: true`, `code_available: true`
  * AI can both inspect logs and read/search code to propose fixes.
* **Staging / Pre-production**
  * Possible: `logs_available: true`, `code_available: true` or `false` depending on sensitivity.
* **Production**
  * Typical: `logs_available: true`, `code_available: false`
  * AI can analyze operational logs for incidents without reading production code.

#### Project and cluster boundaries

* **Project ID (`id`)** groups services into a logical app.
* **Service ID (`window_id`)** identifies a specific service instance within that app.

The server (`debug`) shares only:

* Service metadata: `id`, `name`, `description`, `path`, `window_id`.
* Access flags: `logs_available`, `code_available`.

Cluster information lets the AI see which services exist in the app, decide which it can access based on flags, and route tool calls to the correct service instance.

#### Credential management

Authentication to the OpenBug debugging service is via an API key stored in `~/.openbug/config`:

```bash theme={null}
API_KEY=your-api-key-here
```

* Set this once per machine with `debug login your-api-key`.
* Each API key is tied to usage visible in the OpenBug dashboard.

***

<Note>
  **If you need to rotate a key:**

  1. Create a new key in the OpenBug dashboard.
  2. Run `debug login <new-api-key>` to update `~/.openbug/config`.
  3. If you no longer want the old key to be usable, delete it from the OpenBug dashboard ([app.openbug.build](https://app.openbug.build/)).
</Note>
