Thirdfy Agent CLI
Install, authenticate, and run Thirdfy agent commands for onboarding, action discovery, governance preflight, execution, and status polling.
Thirdfy Agent CLI
Use the thirdfy-agent CLI to onboard agents, discover actions, run governance preflight checks, queue execute-intent requests, and poll status with stable JSON output.
The CLI is designed for agent developers building on Thirdfy governance rails. Use --json for deterministic machine output.
Install
Or use directly:
Authentication model
There are three credentials with different trust scopes:
| Credential | Purpose | Used by |
|---|---|---|
AGENT_API_KEY | Agent identity + execution authorization | actions --agent-api-key, preflight, run |
THIRDFY_AUTH_TOKEN | Privy-native owner auth (or user-scoped account auth) | agent register, agent key *, credits balance, delegation/credentials commands |
THIRDFY_OWNER_SESSION_TOKEN | Wallet-sign owner auth (challenge/verify flow) | agent register, agent key * |
Set them in your shell:
Execution-only mode (no user auth token at runtime)
If you already have a valid AGENT_API_KEY, you can run execute-intent flows without THIRDFY_AUTH_TOKEN.
Use this mode for:
- agent-controlled execution workers
- bots that only do action discovery + preflight + run + intent-status
- integrations where onboarding/admin steps are handled separately
In this mode, use:
By default, thirdfy-agent uses production (https://api.thirdfy.com). Use --api-base only for staging/dev/custom deployments.
THIRDFY_AUTH_TOKEN is still required for account-scoped commands such as credits balance, delegation *, and credentials *.
For onboarding owner operations (agent register, agent key *), you can use either:
THIRDFY_AUTH_TOKEN(Privy-native path), orTHIRDFY_OWNER_SESSION_TOKEN(wallet-sign path)
Which token does each command need?
| Command group | AGENT_API_KEY | THIRDFY_AUTH_TOKEN | THIRDFY_OWNER_SESSION_TOKEN |
|---|---|---|---|
actions (public discovery) | Optional | Not required | Not required |
actions --agent-api-key (policy-aware) | Required | Not required | Not required |
preflight | Required | Not required | Not required |
run | Required | Not required | Not required |
intent-status | Not required | Not required | Not required |
agent auth challenge / agent auth verify | Not required | Not required | Not required |
agent register | Not required | Optional (Path A) | Optional (Path B) |
agent key rotate / agent key revoke | Not required | Optional (Path A) | Optional (Path B) |
delegation create / delegation activate / delegation status | Not required | Required | Not required |
credentials status / credentials upsert | Not required | Required | Not required |
credits balance and account-scoped operations | Optional/depends | Required | Not required |
Quickstart flow
1) Discover catalogs and actions
Policy-aware action view:
2) Governance preflight
3) Queue execution intent
Run mode selection (thirdfy / self / hybrid)
The same command surface supports three execution topologies:
--run-mode thirdfy: Thirdfy-governed execute-intent (default forprofile=network)--run-mode self: self-custody unsigned transaction flow (default forprofile=personal)--run-mode hybrid: self-custody + governance mirror metadata (default forprofile=builder)
Profile/run-mode precedence:
- CLI flag (
--run-mode) - env (
THIRDFY_RUN_MODE) - saved profile config (
~/.thirdfy/config.json) - profile defaults
profile use --profile <name> reapplies that profile's default run mode unless you explicitly pass --run-mode.
Jeff aliases (same rails, faster UX)
CLI comparison: Thirdfy vs Bankr vs Boba
Thirdfy is designed to keep a simple operator experience (swap, preflight, run) while adding governance and protocol safety rails.
| Dimension | Thirdfy CLI | Bankr Bot style | Boba CLI style |
|---|---|---|---|
| Primary UX | deterministic CLI commands + --json | prompt-first conversational bot UX | CLI + local proxy (boba proxy) |
| Swap surface | canonical swap for users | mostly prompt/instruction driven | canonical swap flows plus strategy verbs |
| Governance gate | built-in preflight and policy blocks (PREFLIGHT_BLOCKED) | usually strategy/user-policy centric | provider/backend policy centric |
| Delegation integration | first-class (delegation *, credentials *) | varies by integration | varies by provider integration |
| Execution lanes | thirdfy, self, hybrid | usually abstracted in bot UX | provider-managed execution rails |
| Deterministic retries | explicit idempotency on run | implementation-specific | implementation-specific |
| Protocol alignment | directly mapped to Thirdfy governance + incentives rails | external to Thirdfy by default | external to Thirdfy by default |
Practical takeaway:
- If you want a single CLI command standard and governance-backed execution, use Thirdfy as the control plane.
- If you already use Bankr/Boba style agents, you can still route execution through Thirdfy via
AGENT_API_KEY+ delegation readiness.
Using delegation with external agents (Bankr/Boba-style)
You can keep your own agent runtime and still integrate with Thirdfy governance/protocol:
- Onboard/own the agent (
agent registerusing Privy or wallet-sign owner auth). - Set delegation readiness (
delegation create,delegation activate,delegation status). - Set venue credentials if required (
credentials upsert,credentials status). - Discover allowed actions with policy-aware
actions --agent-api-key. - Gate every trade through preflight.
- Execute via
runwith idempotency and monitor viaintent-status.
This gives external agents:
- their own UX/runtime,
- plus Thirdfy governance controls,
- plus protocol-level attribution/incentive alignment.
Delegation storage model (recommended)
For delegated execution lanes, use a hybrid model:
- Onchain is the authority for execution validity (delegation manager checks signature/delegate/expiry/revocation).
- Thirdfy infra stores delegation state for routing, preflight, and auditing.
What to store in Thirdfy infra (recommended):
userDid,agentKey,chainId,walletAddressdelegationManager,sessionAccountAddress,sessionAccountTypepermissionsContext(or equivalent hash/context id)permissionsExpiry- signed delegation payload (for deterministic replay/verification and audit)
- status lifecycle (
active,revoked, timestamps, revoke reason)
What not to store:
- private keys, seed phrases, OTP codes, or signer secrets
- raw long-lived exchange secrets in plaintext
Practical rule:
- Store enough metadata to make delegation checks deterministic in
preflight/run. - Re-verify effective validity against current chain state before execution in Thirdfy-managed lanes.
This matches advanced-permission style delegated execution patterns: infra tracks and indexes delegation state, while cryptographic validity remains enforceable by signed payload + onchain validation.
Add your agent to Thirdfy governance + protocol
To make an external agent participate in Thirdfy rails (not only call raw actions):
- Register the agent identity (
agent register). - Keep owner auth active for lifecycle operations (
agent key rotate/revoke). - Configure delegation and credential readiness for your target venues/chains.
- Use policy-aware discovery and preflight before execution.
- Use stable idempotency keys in production workers.
This path lets your agent:
- operate under Thirdfy governance checks,
- interoperate with protocol actions safely,
- and evolve from standalone execution into protocol-native participation.
4) Poll intent status
Onboarding and key lifecycle
Choose one onboarding owner-auth mode:
Path A: Privy-native owner auth
Path B: Wallet-sign owner auth
Rotate/revoke API key with either owner auth mode:
Create an OpenClaw agent with the CLI
Use this path when you want a practical, command-line-only onboarding flow for OpenClaw.
Prerequisites
- Either
THIRDFY_AUTH_TOKEN(Privy path) orTHIRDFY_OWNER_SESSION_TOKEN(wallet-sign path) for owner onboarding operations. - A wallet address for
--agent-key(this is the agent identity). - API environment with onboarding enabled (local/staging/production policy dependent).
Step 1) Prove owner identity (choose one mode)
Privy-native:
Wallet-sign:
Step 2) Register the agent
Or wallet-sign:
Step 3) Get and verify the agent API key
After registration/approval, copy agentApiKey from the response or Creator Platform and export it:
If this succeeds, the agent key is active for policy-aware action discovery.
Step 4) Check delegation readiness
If required by your governance mode, configure delegation:
Step 5) Check venue credential readiness (if action requires it)
Step 6) Run first OpenClaw flow (preflight -> run -> intent-status)
Then poll the returned intentId:
There is no agent claim step in the current CLI onboarding flow. OpenClaw setup is register + readiness checks + preflight/run.
Delegation and credentials checks
Troubleshooting
Invalid agent API key-> validateAGENT_API_KEY, agent approval state, and action allowlist.Authentication requiredorInvalid Privy token-> refreshTHIRDFY_AUTH_TOKEN.Missing required onboarding schema (...)-> backend migration is missing; apply latest onboarding DB migration before using wallet-sign owner auth.SELF_MODE_NO_FANOUT->selfrun-mode cannot use delegated execute-intent fanout; use selfbuild-tx/unsigned transaction flow.DELEGATION_MISSING-> Thirdfy-managed lane (thirdfyor hybrid mirror) has no active delegation/subscriber context.POLICY_BLOCKED-> governance preflight denied one or more subscribers; inspectblockedByReasonandresults.PROVIDER_UNAVAILABLE-> selected action/provider does not support execute-intent rail for this lane.PREFLIGHT_BLOCKED-> check governance fields (blocked,blockedByReason,results).INTENT_NOT_FOUND-> confirmintentIdand environment match (production vs staging/dev API base).capabilitiesVersion: nullin meta -> target API may not expose/api/v1/agent/cli/capabilitiesyet.