Configuration & Credentials
How credentials management works in .systemprompt/ - sessions, tenants, profiles, secrets, and cloud deployment.
On this page
After Reading This
You will be able to:
- Understand how credentials management works in .systemprompt/
- Know the relationship between sessions, tenants, and profiles
- Authenticate with SystemPrompt Cloud via OAuth
- Deploy and sync configuration to cloud
SystemPrompt uses a layered credential system stored in the .systemprompt/ directory. This system manages authentication, multi-tenancy, and environment-specific configuration so you can run the same project in development, staging, and production with complete isolation.
How It Works
The credential system follows a clear hierarchy. Understanding this flow is essential for managing SystemPrompt effectively.
Cloud Login creates your authentication token. This token identifies you across all SystemPrompt operations and enables access to cloud features.
Tenants are isolated environments that own databases and configuration. You might have a local tenant for development and a cloud tenant for production. Each tenant is completely separate.
Profiles are environment configurations within a tenant. A profile contains all the settings needed to run SystemPrompt: database connection, API keys, server configuration, and runtime options.
Sessions track your active CLI state. When you run commands, the session determines which profile is active and authenticates your requests.
The Credential Flow
Cloud Login (credentials.json)
│
└── Authenticates you with SystemPrompt Cloud
│
▼
Tenants (tenants.json)
│
└── Isolated environments (local or cloud)
│
▼
Profiles (profiles/<name>/)
│
└── Environment config + secrets for each tenant
│
▼
Sessions (sessions/index.json)
│
└── Active CLI state, determines which profile is used
Directory Structure
The .systemprompt/ directory contains all credential and configuration files. These files are gitignored by default to protect sensitive data.
.systemprompt/
├── credentials.json # Cloud authentication (OAuth token)
├── tenants.json # Registry of all tenants
├── sessions/
│ └── index.json # Active session state per tenant
├── profiles/
│ ├── local/
│ │ ├── profile.yaml # Environment configuration
│ │ ├── secrets.json # API keys, DATABASE_URL (gitignored)
│ │ └── docker/ # Local Docker compose files
│ └── production/
│ ├── profile.yaml
│ └── secrets.json
└── docker/
└── shared.yaml # Shared PostgreSQL container
Quick Start
Get running with SystemPrompt in four steps.
1. Authenticate with Cloud
just login
Opens your browser for GitHub or Google OAuth. Creates credentials.json with your API token.
2. Create or Select a Tenant
systemprompt cloud tenant create --type local
# or
systemprompt cloud tenant list
systemprompt cloud tenant select <tenant-id>
Local tenants run PostgreSQL in Docker. Cloud tenants use managed infrastructure.
3. Create a Profile
systemprompt cloud profile create local
Generates profiles/local/ with profile.yaml and secrets.json. The wizard prompts for database URL and API keys.
4. Start Services
just db-up # Start PostgreSQL
just migrate # Run database migrations
just start # Start the server
Your session is now active. All CLI commands use the local profile by default.
Configuration Sections
| Section | Purpose |
|---|---|
| Database | PostgreSQL connection setup |
| Deployment | Deploy to SystemPrompt Cloud |
| Docker | Container configuration for local and cloud |
| Domains | Custom domain setup with TLS |
| Profiles | Environment-specific settings |
| Secrets | API keys and sensitive credentials |
| Sessions | CLI authentication state and profile switching |
| Sync | Push/pull configuration between environments |
| Tenants | Isolated environments (local and cloud) |
Cloud Features
SystemPrompt Cloud is managed infrastructure for AI agents. Deploy with a single command, sync configuration between environments, and use custom domains with automatic TLS.
| Feature | Description |
|---|---|
| One-Command Deploy | systemprompt cloud deploy pushes configuration to production |
| Managed Database | PostgreSQL with automatic backups |
| Auto-Scaling | Handle traffic spikes without configuration |
| Custom Domains | Use your domain with automatic Let's Encrypt certificates |
| Code Sync | Push and pull configuration between local and cloud |
Free vs Paid
| Feature | Local (Free) | Cloud (Paid) |
|---|---|---|
| AI agents | Unlimited | Unlimited |
| Database | Docker PostgreSQL | Managed PostgreSQL |
| Hosting | Your machine | SystemPrompt Cloud |
| Custom domain | localhost only | Any domain |
| TLS/HTTPS | Self-signed | Automatic certificates |
| Scaling | Manual | Automatic |
Local development is free forever. Cloud hosting is a paid service.
Profile Priority
When you run a CLI command, SystemPrompt determines which profile to use in this order:
--profileflag on the commandSYSTEMPROMPT_PROFILEenvironment variable- Active session from
sessions/index.json - Default profile
This lets you override the active profile for individual commands without switching sessions.
Git Ignore
All sensitive files are automatically gitignored:
.systemprompt/credentials.json
.systemprompt/tenants.json
.systemprompt/sessions/
.systemprompt/profiles/*/secrets.json
Profile configuration (profile.yaml) can be committed since it contains no secrets. This makes it easy to share environment settings across a team while keeping credentials private.
In this section
Code Sync
Synchronize configuration between local development and SystemPrompt Cloud. Push, pull, and resolve conflicts.
Custom Domains
Configure custom domains for SystemPrompt Cloud with automatic TLS certificates via Let's Encrypt.
Database
Configure PostgreSQL database connection for SystemPrompt. One connection string is all you need.
Deployment
Deploy AI agents to SystemPrompt Cloud with a single command. CI/CD integration, zero-downtime deployments, and rollback strategies.
Docker Configuration
Docker serves two purposes in SystemPrompt: running PostgreSQL locally and deploying your application to production.
Profiles
Environment configurations for SystemPrompt. Each profile contains all settings needed to run in a specific environment.
Secrets & Credentials
Manage API keys, credentials, and sensitive configuration for local development and cloud deployments.
Sessions
CLI authentication state and profile switching. Sessions track which profile is active and authenticate your requests.
Tenants
Isolated environments for SystemPrompt. Local tenants run on your machine, cloud tenants run on managed infrastructure.