authority create


Preview features are available for use, but are still under rapid development.

There may be some minor gaps in functionality or documentation.

Your feedback on the enhancements you'd like to see on this feature are especially valuable, please send them through at

ockam authority create [OPTIONS] --project-identifier <PROJECT_IDENTIFIER> --trusted-identities <JSON_OBJECT> [NODE_NAME]

This command starts an authority node with the needed services to issue and verify cryptographically signed credentials.


  • [NODE_NAME] (optional)
    Name of the node


  • -f, --foreground (optional)
    Run the node in foreground

  • -s, --skip-is-running-check (optional)
    Skip the check if such node is already running. Useful for kubernetes when the pid is the same on each run

  • --child-process (optional)
    authority create started a child process to run this node in foreground

  • -t, --tcp-listener-address [SOCKET_ADDRESS] (optional)
    TCP listener address

  • --identity [IDENTITY_NAME] (optional)
    Name of the Identity that the authority will use

  • --project-identifier <PROJECT_IDENTIFIER>
    Identifier of the project associated to this authority node on the Orchestrator

  • --trusted-identities <JSON_OBJECT>
    List of the trusted identities, and corresponding attributes to be preload in the attributes storage. Format: {"identifier1": {"attribute1": "value1", "attribute2": "value12"}, ...}

  • --no-direct-authentication (optional)
    Set this option if the authority node should not support the enrollment of new project members

  • --no-token-enrollment (optional)
    Set this option if the authority node should not support the issuing of enrollment tokens

  • --tenant-base-url [URL] (optional)
    Okta: URL used for accessing the Okta API

  • --certificate [STRING] (optional)
    Okta: pem certificate used to access the Okta server

  • --attributes [ATTRIBUTE_NAMES] (optional)
    Okta: name of the attributes which can be retrieved from Okta

  • --account-authority [ACCOUNT_AUTHORITY_CHANGE_HISTORY] (optional)
    Full, hex-encoded Identity (change history) of the account authority to trust for account and project administrator credentials

  • --enforce-admin-checks (optional)
    Enforce distinction between admins and enrollers

  • --disable-trust-context-id (optional)
    Not include trust context id and project id into the credential TODO: Set to true after old clients are updated


# Create an authority node which can be accessed by users of project 93c6455c5f
# The default node name is 'authority'.
$ ockam authority create \
    --tcp-listener-address \
    --project-identifier 93c6455c5f \
    --trusted-identities "[{\"identifier\": \"I6c20e814b56579306f55c64e8747e6c1b4a53d9a3f4ca83c252cc2fbfc72fa94\", \"attributes\": {\"ockam-role\": \"enroller\"}}]"

# Delete an authority node
$ ockam node delete authority