Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.capy.sc/llms.txt

Use this file to discover all available pages before exploring further.

Remove a teammate with a single command: 
capy kick alice@example.com
The service removes their membership. The next time their CLI tries to co-decrypt anything, the service refuses (they’re no longer a member), and their local key.enc becomes cryptographically inert - its outer wrap needs the service to strip it, and the service won’t. No key rotation. No re-encrypting every secret. No propagating a new master key to every remaining member. A membership delete, and revocation is complete.

Kicking from the TUI

capy users opens the interactive members list. Press r on a member’s row to change their role; one of the options is remove, which kicks them from the org without the per-CLI command: 
  Email                          Role           Added         Projects
  ─────────────────────────────────────────────────────────────────────
  alice@acme.com                 owner          2025-01-15    2 projects
> bob@acme.com                   ❯ admin                      1 project
                                   project-admin
                                   member
                                   remove
  ─────────────────────────────────────────────────────────────────────
   ↑↓ pick role  Enter confirm  Esc cancel
Picking remove and pressing Enter has the same effect as capy kick bob@acme.com. Inside an expanded project, the same picker offers a per-project remove (which only revokes their access to that one project; they stay in the org).

Why it’s safe to skip re-encryption

The kicked user’s key.enc is an outer-wrapped blob. To use it they need to present it to the service and have the service strip the outer wrap. The service checks membership on that call - if they’ve been kicked, the call returns 403. Their bytes are still on disk. They’re just unusable. See Cryptography → Revocation for the full construction.

What kicking does not do

  • It doesn’t recall plaintext values they already saw. If the kicked user read a value and stored it somewhere outside Capy (a text file, a screenshot, a chat log), that copy is outside Capy’s control. Rotate anything sensitive through your normal secret-rotation process.
  • It doesn’t invalidate cached deploy tokens. Any deploy tokens minted while they were a member still work. Revoke individual deploy tokens if you have reason to suspect they captured one.
  • It doesn’t rotate the master key. Remaining members keep using the same M. That’s fine - the departed user can’t recover M without the service, and the service won’t help them.

When you do need to rotate

If you suspect the kicked user captured the seed phrase (not just their key.enc), rotate: new seed, new M, re-encrypt every secret, re-invite every remaining member. The seed phrase is the one artifact that bypasses the service’s co-decrypt gate. In practice this requires someone with access to the owner’s seed phrase. Kicking random members doesn’t trigger it.

What’s next

capy kick

Command flags.

Revocation (cryptography)

The exact cryptographic enforcement.