Credentials
Credential inventory with Bitwarden entry names. NEVER store actual secrets in this file.
Admin Accounts
| Account |
Purpose |
| invotekas@gmail.com |
Invotek admin — Cloudflare login, Tailscale login, Cloudflare Access |
| codiedev42@gmail.com |
Dev/project — Bitwarden, Xcode Cloud notifications, Google Drive |
| post@stigjohnny.no |
Personal — vCluster Platform access |
Bitwarden Configuration
| Setting |
Value |
| Server |
vault.bitwarden.eu (EU) |
| Email |
codiedev42@gmail.com |
| Unlock |
See memory MCP (get_context(project: "global", key: "bitwarden_unlock")) |
Credential Inventory
GitHub
| Bitwarden Entry |
Purpose |
Used By |
Expiry |
| GitHub PAT (Claude) |
Legacy PAT — EXPIRED |
Was used by Docker runners |
Expired |
| GitHub OAuth Token |
OAuth token for gh CLI |
Docker runners (.env as GITHUB_TOKEN) |
— |
| RELEASE_PAT |
Review-E PAT for release PR auto-approval |
All app repos (GitHub secret) |
2026-05-30 |
GitHub App PEMs: Stored locally on each agent host, not in Bitwarden. See .claude/skills/github-apps/SKILL.md for paths.
Apple / App Store Connect
| Bitwarden Entry |
Purpose |
Used By |
| App Store Connect API Key |
ASC API (issuer ID, key ID, private key) |
appstoreconnect-mcp |
| Apple ID (u7232055051@gmail.com) |
ASC portal login, Xcode signing |
Browser automation |
Cloud Services
| Bitwarden Entry |
Purpose |
Used By |
| Cloudflare API Token |
Cloudflare API access |
cloudflare MCP, GitHub Actions |
| OpenAI API Key (Claude) |
DALL-E image generation, Nutri-E workers |
Blog images, Nutri-E |
| Google Service Account Key |
Play Store deployment |
star-rewards Android |
Messaging / Notifications
| Bitwarden Entry |
Purpose |
Used By |
| Discord Bot Token (Codi-E) |
Codi-E Discord bot |
discord MCP |
| Discord Bot Token (Pi-E) |
Pi-E Discord bot |
Pi-E OpenClaw |
| Discord Bot Token (Volt-E) |
Volt-E Discord bot |
Volt-E agent-runner |
| Discord Bot Token (Review-E) |
Review-E Discord bot |
Review-E agent-runner |
| Telegram Bot Token |
Telegram notifications (legacy) |
telegram-notifications-mcp |
| Pushbullet API Key |
SMS forwarding |
pushbullet-sms-mcp |
Revenue / Subscriptions
| Bitwarden Entry |
Purpose |
Used By |
| RevenueCat API Key |
Subscription management |
revenuecat MCP |
GCP
| Resource |
Value |
| Infra Project |
invotek-github-infra |
| Service Account |
github-actions@invotek-github-infra.iam.gserviceaccount.com |
| Auth |
Workload Identity Federation (keyless, no secret needed) |
| Billing Account |
015BBC-422A59-EB7AF4 |
Agent Authentication Methods
All agents share ONE Claude Max subscription: invotekas@gmail.com (max tier).
| Agent |
Claude Auth |
GitHub Auth |
How Token Stays Alive |
| Codi-E / Claude-4/5/6 |
Local Claude Max |
User's gh CLI |
Manual claude auth login |
| Pi-E |
OAuth (invotekas@gmail.com) |
pie-agent-bot GitHub App |
Claude cron job (3-day keepalive) |
| Volt-E |
OAuth (invotekas@gmail.com) |
volt-e-agent-bot GitHub App |
Claude cron job (3-day keepalive) |
| Review-E |
OAuth (invotekas@gmail.com) |
review-e-bot GitHub App |
Claude cron job (3-day keepalive) |
| iBuild-E |
Local Claude Max |
ibuild-e-bot GitHub App |
Local LaunchAgent |
Token Lifecycle
- Primary: Each remote agent (Pi-E, Volt-E, Review-E) runs a Claude cron job that keeps the OAuth token alive for 3 days by refreshing it automatically.
- Bootstrap/Fallback: M4 MacBook pushes tokens via
push-claude-creds.sh (LaunchAgent, every 5 min). Only pushes when local token is newer than remote. Used to bootstrap new agents or recover from expiry.
- Emergency: VNC into agent host, run
claude login to get a fresh token directly.
Token Sync Infrastructure
LaunchAgents on MacBook Air M4:
- com.invotek.push-claude-creds — pushes OAuth to Pi-E, Volt-E, Review-E on credential change + 5-min interval
- com.invotek.refresh-github-tokens — generates fresh ghs_ GitHub App tokens every 30 min
- ai.invotek.claude3.token-sync — additional token sync
- ai.invotek.claude3.heartbeat — heartbeat check
Push targets (from script):
- Pi-E: claude@100.107.48.17 (key: rpi-claude), path: /home/claude/.openclaw/agents/main/agent/auth-profiles.json
- Volt-E: root@100.111.142.118 (key: vps-srv1099021), path: /home/openclaw/.openclaw/agents/main/agent/auth-profiles.json
- Review-E: claude@100.77.12.75 (key: rpi-pi4-02), path: /home/claude/.openclaw-review-e/agents/main/agent/auth-profiles.json
Note: iBuild-E manages its own token via local LaunchAgent (com.invotek.ibuild-e.token-sync), not through the push script.
Pi-E Token Watchdog: Cron every 5 min, Discord alert 1hr before OAuth expiry.
Rotation Schedule
| Credential |
Rotation |
Next Due |
| RELEASE_PAT |
Manual (Review-E PAT) |
2026-05-30 |
| GitHub App tokens |
Auto (1hr lifetime, refreshed every 30min) |
— |
| OAuth tokens |
Auto (refreshed by push script / VNC login) |
— |
| Cloudflare API Token |
Manual |
Check Bitwarden |
| ASC API Key |
Manual |
Check Bitwarden |
Expired / Deprecated
| Entry |
Status |
Notes |
GitHub PAT (Claude) (ghp_*) |
EXPIRED |
Replaced by OAuth + GitHub Apps |
| Telegram Bot Token |
Deprecated |
Discord preferred, Telegram still configured |