Skip to Content

Share Links

A share link is a token + URL bundle that lets a guest reach one CMDOP machine without a workspace API key. Useful for vendor support, cross-org pair debugging, or one-off CI bridges.

  • One token, one machine.
  • Bound to the workspace of the creator.
  • Time-limited (or permanent if you really want).
  • Authenticates like a Bearer <token> header — same wire shape as an API key.

Creating one

cmdop connect share <host> --ttl 24h

Hours-only granularity. --ttl 90m rounds up to 2 h. --ttl 0 = never expires.

Output:

{
  "url": "https://share.cmdop.com/s/eyJhbGc...",
  "token": "eyJhbGc...",
  "machine_id": "01HABCDEF",
  "expires_at": "2026-04-26T12:34:56Z"
}

For piping:

cmdop connect share prod-1 --ttl 24h --json

Authentication on the wire

The guest hits the URL; the embedded token acts as a Bearer <token> for that one machine. Server validates server-side. No additional CMDOP account needed.

When to use it

Common patterns:

  • Vendor support — “show this support engineer my prod-1 machine for 4 hours”.
  • Pair debugging across orgs — share a session URL with someone who doesn’t share your workspace.
  • One-time CI bridges — embedding a workspace API key would be overkill.

For routine multi-tenant access, use workspaces and proper roles instead.

Examples

# 24-hour link
cmdop connect share prod-1 --ttl 24h
 
# Never expires (avoid in production)
cmdop connect share staging-1 --ttl 0
 
# Pipe-friendly JSON output
cmdop connect share prod-1 --ttl 4h --json | jq -r .url

Revocation

Share links currently soft-delete on expiry; there is no manual revoke endpoint exposed. Two practical mitigations:

  • Keep TTLs short. Hours, not days.
  • Rotate the workspace API key if a long-lived link leaks. Token validation depends on the workspace key remaining valid.

Manual revocation is on the roadmap — track in the changelog.

Limits

  • One machine per link. No fan-out across machines.
  • The link respects the receiver’s permissions.yaml. Guests cannot bypass the gate.
  • Per-link audit lives server-side; the client does not see guest activity in audit.log unless their tool calls reach the receiver.

Security

Anyone with the URL can reach the machine until the link expires. Treat share-link URLs like passwords. Send via a secure channel (Signal, encrypted email), not Slack DMs that get screenshotted.

Hours granularity. --ttl 90m is rounded up to 2 hours. Plan accordingly.

Last updated on
What is CMDOP