docs(cli): drop AGENTSFLEET_TOKEN; document AGENTSFLEET_API_KEY precedence

agents/troubleshooting.mdx

@@ -177,13 +177,12 @@ Pass `--json` for the structured envelope: `{ ok: bool, api_url: string, checks:
 
 ### Auth resolution order
 
-If `agentsfleet` keeps acting unauthenticated, your token might be coming from somewhere unexpected. Resolution order, highest priority first:
+If `agentsfleet` keeps acting unauthenticated, your bearer might be coming from somewhere unexpected. Resolution order, highest priority first:
 
-1. `--token <value>` flag
-2. `AGENTSFLEET_TOKEN` environment variable
-3. Stored credentials at `~/.config/agentsfleet/credentials` (written by `agentsfleet login`)
+1. `AGENTSFLEET_API_KEY` environment variable (a service API key)
+2. Stored credentials at `~/.config/agentsfleet/credentials.json` (written by `agentsfleet login`)
 
-Unset `AGENTSFLEET_TOKEN` if you've been running CI scripts that exported it; otherwise it overrides whatever `agentsfleet login` wrote.
+Unset `AGENTSFLEET_API_KEY` if you've been running CI scripts that exported it; otherwise it overrides whatever `agentsfleet login` wrote.
 
 ## When to escalate
 

api-reference/introduction.mdx

@@ -15,7 +15,7 @@ All API endpoints require a Bearer token in the `Authorization` header, except h
 
 ```bash
 curl https://api.agentsfleet.net/v1/workspaces/0198a7b0-3c2d-7f14-9a08-1b6e4d2f8c50/agents \
-  -H "Authorization: Bearer $AGENTSFLEET_TOKEN"
+  -H "Authorization: Bearer $AGENTSFLEET_API_KEY"
 ```
 
 Two kinds of bearer token are accepted:

cli/agentsfleet.mdx

@@ -40,7 +40,7 @@ agentsfleet login --token-name "kishore-macbook"
 
 ```bash
 # Non-interactive (CI, scripts): supply a token instead of the browser flow
-AGENTSFLEET_TOKEN="$MY_TOKEN" agentsfleet login
+agentsfleet login --token "$MY_TOKEN"
 # …or pipe it so it never lands in shell history
 printf '%s' "$MY_TOKEN" | agentsfleet login
 ```
@@ -49,13 +49,13 @@ After the token persists, `login` also fetches `GET /v1/tenants/me/workspaces` a
 
 Flags:
 
-- `--token <token>` — authenticate non-interactively with a token directly, skipping the browser entirely; the token is validated against the server and persisted. Prefer the `AGENTSFLEET_TOKEN` env var or piping the token on stdin to keep it out of your shell history. `--token-name` is ignored for any non-browser token source — `--token`, the `AGENTSFLEET_TOKEN` env var, or piped stdin — since there's no browser session to label.
+- `--token <token>` — authenticate non-interactively with a token directly, skipping the browser entirely; the token is validated against the server and persisted. Prefer piping the token on stdin to keep it out of your shell history. `--token-name` is ignored for any non-browser token source — `--token` or piped stdin — since there's no browser session to label.
 - `--token-name <label>` — human-readable device label persisted alongside the token. Defaults to your platform family (`macos-cli`, `linux-cli`, `windows-cli`). Shows up on the dashboard approval page (so you know which terminal you're approving for) and in `agentsfleet auth status`.
 - `--no-open` — print the auth URL instead of opening a browser automatically.
 - `--force` — skip the "you're already logged in as `<name>`, replace?" prompt.
-- `--no-input` — fail fast instead of prompting for the verification code. Supply a token non-interactively via `--token`, the `AGENTSFLEET_TOKEN` env var, or piped stdin.
+- `--no-input` — fail fast instead of prompting for the verification code. Supply a token non-interactively via `--token` or piped stdin.
 
-`agentsfleet login` resolves a token in priority order — the `--token` flag, then the `AGENTSFLEET_TOKEN` environment variable, then a token piped on stdin — and falls back to the browser device flow only on an interactive terminal with none of those set. A non-interactive shell (`--no-input`, or no terminal) with no token exits immediately with an error instructing you to supply one via `--token`, `AGENTSFLEET_TOKEN`, or piped stdin — the verification code can't be entered without a terminal.
+`agentsfleet login` resolves a token in priority order — the `--token` flag, then a token piped on stdin — and falls back to the browser device flow only on an interactive terminal with neither set. A non-interactive shell (`--no-input`, or no terminal) with no token exits immediately with an error instructing you to supply one via `--token` or piped stdin — the verification code can't be entered without a terminal. For unattended machine auth that doesn't log in at all, set `AGENTSFLEET_API_KEY` (it overrides a stored login on every command).
 
 The login session lives 5 minutes; an unfinished approval expires automatically. The verification code's 6-digit shape is checked locally before it's sent, so a typo just re-prompts. Wrong (but well-formed) code attempts cap at 5 per session — a sixth wrong code aborts the session and you re-run `agentsfleet login`.
 
@@ -67,11 +67,11 @@ Removes local credentials (`~/.config/agentsfleet/credentials.json`) and aborts
 agentsfleet logout
 ```
 
-Does **NOT** revoke your active session token — JWTs are short-lived (~15 min) and expire on their own. Does **NOT** touch the `AGENTSFLEET_TOKEN` environment variable — if it's set, subsequent commands continue to use that token until you unset it.
+Does **NOT** revoke your active session token — JWTs are short-lived (~15 min) and expire on their own. Does **NOT** touch the `AGENTSFLEET_API_KEY` environment variable — if it's set, subsequent commands continue to authenticate with that key (it overrides a stored login) until you unset it.
 
 ### `agentsfleet auth status`
 
-Inspect the stored credential without re-authenticating. Resolves the token source (file vs `AGENTSFLEET_TOKEN` env vs none), decodes the JWT claims (`iss`, `aud`, `sub`, `metadata.tenant_id`, `metadata.role`, `exp`), surfaces the `token_name` label persisted at login, and probes `GET /v1/tenants/me/billing` to check the token is still accepted by the server.
+Inspect the active credential without re-authenticating. Resolves the token source (`AGENTSFLEET_API_KEY` env vs the stored login file vs none), decodes the login JWT's claims when present (`iss`, `aud`, `sub`, `metadata.tenant_id`, `metadata.role`, `exp`), surfaces the `token_name` label persisted at login, and probes `GET /v1/tenants/me/billing` to check the credential is still accepted by the server.
 
 ```bash
 agentsfleet auth status

cli/configuration.mdx

@@ -8,16 +8,15 @@ description: "Configuration precedence and environment variables."
 `agentsfleet login` decides which token to **store**, highest priority first:
 
 1. **`--token <value>`** — login-only flag
-2. **`AGENTSFLEET_TOKEN`** environment variable
-3. **Piped stdin** — token read from a pipe
-4. **Browser device flow** — interactive terminals only
+2. **Piped stdin** — token read from a pipe
+3. **Browser device flow** — interactive terminals only
 
-Every **other command** then resolves its token, and the order is TTY-aware:
+Every **other command** then resolves which bearer to send:
 
-- **Interactive terminal** — `AGENTSFLEET_TOKEN` wins over stored credentials, so an env var you just exported overrides a possibly-stale file.
-- **Non-interactive (CI, cron, pipes)** — stored credentials (written by `agentsfleet login` to `~/.config/agentsfleet/credentials.json`) win, falling back to `AGENTSFLEET_TOKEN` only when no file exists.
+- **`AGENTSFLEET_API_KEY`** (a service API key) wins whenever it is set — an exported key overrides whatever `agentsfleet login` stored, so machines and CI authenticate as that key.
+- Otherwise the **stored credentials** written by `agentsfleet login` to `~/.config/agentsfleet/credentials.json` are used.
 
-`--token` is not accepted on commands other than `login`; use the `AGENTSFLEET_TOKEN` env var for one-off overrides in scripts.
+`--token` is not accepted on commands other than `login`; set `AGENTSFLEET_API_KEY` for non-interactive script and CI auth.
 
 ## API URL precedence
 
@@ -32,8 +31,7 @@ Every **other command** then resolves its token, and the order is TTY-aware:
 |----------|---------|---------|
 | `AGENTSFLEET_API_URL` | API base URL | `https://api.agentsfleet.net` |
 | `AGENTSFLEET_DASHBOARD_URL` | Dashboard base URL — used for the login verification page. | `https://app.agentsfleet.net` |
-| `AGENTSFLEET_TOKEN` | Auth token (for CI and scripts; user-bound, from `agentsfleet login`) | *(from `agentsfleet login`)* |
-| `AGENTSFLEET_API_KEY` | Service auth (machine-bound, from `agentsfleet agent-key add`). Use this for service-to-service calls and external agents (LangGraph, CrewAI, Composio, your own code). | — |
+| `AGENTSFLEET_API_KEY` | Service auth (machine-bound). Sent as the bearer and **overrides a stored `login` session**. Use this for CI, service-to-service calls, and external agents (LangGraph, CrewAI, Composio, your own code). | — |
 | `AGENTSFLEET_STATE_DIR` | Directory for local CLI state (credentials, telemetry, session). | `~/.config/agentsfleet` |
 | `NO_COLOR` | Set to `1` to disable color output. | — |
 | `AGENTSFLEET_TELEMETRY_DISABLED` | Set to `1` to opt out of anonymous analytics + tracing. | unset (telemetry on) |
@@ -67,9 +65,9 @@ Either env variable forces consent to `denied` regardless of the persisted value
 
 ## CI usage
 
-In CI environments, set `AGENTSFLEET_TOKEN` from your secrets manager and use `--no-input` for non-interactive operation:
+In CI environments, set `AGENTSFLEET_API_KEY` from your secrets manager and use `--no-input` for non-interactive operation:
 
 ```bash
-export AGENTSFLEET_TOKEN="$AGENTSFLEET_SECRET"
+export AGENTSFLEET_API_KEY="$AGENTSFLEET_SECRET"
 agentsfleet status --no-input --json
 ```

index.mdx

@@ -7,34 +7,18 @@ description: "agentsfleet is a fleet of prebuilt AI teammates for recurring engi
   agentsfleet is in early access. Join the waitlist to get in — or email [agentsfleet@agentmail.to](mailto:agentsfleet@agentmail.to) to come on as a design partner.
 </Card>
 
-## A teammate that owns the outcome
-
-A pull request lands. A deploy fails at 2am. Normally someone guesses from a stack trace and ships a patch on hope — and by morning the context is gone, evidence scattered across CI, logs, dashboards, and chat.
-
-A teammate owns the outcome instead. An **agent** is a durable runtime described in two markdown files — `SKILL.md` (the senior engineer's playbook in prose) plus `TRIGGER.md` (which tools the agent can reach and which events wake it). When a trigger fires, it gathers the evidence, reasons over it, opens a scenario-backed fix, posts an evidenced diagnosis to your Slack channel, and keeps a replayable log of every move — holding at human approval before anything merges or ships.
-
-`platform-ops` is **one** prebuilt teammate, and more keep joining the fleet — code review, incident triage, security review. It wakes on a GitHub Actions deploy failure, pulls workflow logs + your hosting provider's app state + your data-plane's health, and posts a one-paragraph diagnosis with a leading hypothesis. The same agent is reachable via `agentsfleet steer` for a manual investigation. The runtime is open source, you bring your own model and pay your provider directly, and the agent never sees your raw keys — only `${secrets.NAME.FIELD}` placeholders, swapped for real values outside the sandbox.
+Each one wakes on an event — a pull request, an incident, a deploy — investigates across your code, telemetry, and live control-plane state, opens a scenario-backed fix, and waits for human approval before it ships. Every move lands in a durable, replayable log — evidenced answers, never chat.
 
 ## Get started
 
-`platform-ops` goes from a cold machine to a real diagnosis in Slack in about ten minutes. Install the CLI, add the host skills, and sign in:
+Install `agentsfleet` and the host skills in one command:
 
 ```bash
-npm install -g @agentsfleet/cli
-npx skills add agentsfleet/skills
-agentsfleet login
-```
-
-Then invoke the install skill inside your agent — Claude Code, Amp, Codex CLI, or OpenCode:
-
+curl -fsSL https://agentsfleet.dev | bash
 ```
-/agentsfleet-install-platform-ops
-```
-
-The skill registers the GitHub webhook and writes `SKILL.md` + `TRIGGER.md` into your repo. From there, behaviour iterates on prose, not redeploys.
 
-<Card title="Full quickstart →" icon="rocket" href="/quickstart" horizontal>
-  Sign in, install `platform-ops`, and trigger a real diagnosis — step by step from a cold machine.
+<Card title="Start your first fleet →" icon="rocket" href="/quickstart" horizontal>
+  Sign in, install `platform-ops`, and trigger your first real diagnosis — step by step from a cold machine.
 </Card>
 
 ## Explore

quickstart.mdx

@@ -45,7 +45,7 @@ This walks through installing the flagship `platform-ops` agent on one of your r
   <Tip>Pass `--token-name "your-device-label"` to label this install so it's easy to recognize on the approval page and in `agentsfleet auth status` later. Defaults to your platform family otherwise.</Tip>
 
   <Note>
-    **No terminal — CI, or an agent driving the CLI?** Skip the browser entirely: supply a token via the `--token <token>` flag, the `AGENTSFLEET_TOKEN` environment variable, or piped on stdin — resolved in that order (prefer the env var or stdin to keep it out of shell history). Add `--no-input` to fail fast instead of waiting for the code — a no-TTY shell with no token exits with an error. Full precedence in [`agentsfleet login`](/cli/agentsfleet#agentsfleet-login).
+    **No terminal — CI, or an agent driving the CLI?** Skip the browser entirely: supply a token via the `--token <token>` flag or piped on stdin — resolved in that order (prefer stdin to keep it out of shell history). For ongoing machine auth, set the `AGENTSFLEET_API_KEY` environment variable instead of logging in — it is sent on every request and overrides a stored login. Add `--no-input` to fail fast instead of waiting for the code — a no-TTY shell with no token exits with an error. Full precedence in [`agentsfleet login`](/cli/agentsfleet#agentsfleet-login).
   </Note>
 </Step>