Skip to content
Shepherd

verifyApiKey

verifyApiKey(deps): Promise<VerifyKeyResult>

Defined in: src/verify-key.ts:154

Verify the configured Anthropic API key actually authenticates, END-TO-END through the same api-key spawn wiring real agents use: a transient interactive claude (subscription-style OAuth spawn — NOT claude -p) with the key supplied via the apiKeyHelper + credential-less CLAUDE_CONFIG_DIR. Spawns haiku in a fresh temp dir with only Write, instructed to write SENTINEL to VERIFY_FILE; polls for that file, fast-fails on an auth error in the pane, then tears the agent + dir down.

WHY the sentinel-file + pane-matcher discriminator: a claude spawned this way does NOT exit after its turn — on success it writes the file and goes idle; on a 401 it renders the error and ALSO stays idle. herdr exposes no liveness/exit field, so the ONLY way to tell the two apart is the sentinel file (good) vs an auth-error in the pane (bad). Hence matchAuthError is load-bearing, not a nicety.

Fail-closed: never spawns unless api-key mode is selected AND a key is configured. Secret hygiene: this function never receives the raw key (only the helper PATH via config) and never logs pane text / detail verbatim — detail is clipped.

Parameters

Section titled “Parameters”

deps

Section titled “deps”

VerifyKeyDeps

Returns

Section titled “Returns”

Promise<VerifyKeyResult>