Credential types
| Credential | Used by | Notes |
|---|---|---|
| Browser login | CLI on a developer machine | Stored in ~/.config/aeo/config.json. |
atok_* Aeolo token | MCP, CI, external agents | Sent as bearer auth. Prefer read; use read_write only for approved writes. |
| Dashboard session | Web app | Not interchangeable with CLI config. |
Domain access
Most commands require a domain. Resolution differs by surface. CLI resolution order:- Explicit
--domain. AEOLO_DOMAIN_ID.- Active domain selected by
aeo domain switch. - Error asking the caller to choose a domain.
domainId in aeo_execute_command. Start with aeo_list_domains; omit domainId only when the account has exactly one obvious domain.
Membership and billing
Remote requests must pass membership checks before reading or mutating a domain. Credit-metered operations also check billing state.read tokens can run commands classified as read-only by the MCP command registry. read_write is required for mutations, paid jobs, public preview links, deploys, publishes, deletes, and external source access such as Google Drive reads. Treat aeo_execute_command as a mixed-risk tool: classify the command string before calling it.
High-risk examples:
aeo content deployaeo post publishaeo visibility check runaeo audit runaeo content generateaeo reference analyzeaeo video generate