Where your root keys live
The honest answer โ root keys sit in a 0600 plaintext file at ~/.ringtail/credentials.json on your machine, and how to revoke or remove them.
The single most common question about a credentials tool is where do my keys end up? Here's the honest, no-hand-waving answer.
The file
Your root keys โ the master tokens that mint everything else (your Cloudflare token, your Neon key, โฆ) โ live in one plaintext JSON file on your own machine:
~/.ringtail/credentials.jsonIt is not encrypted at rest. It's a plain file, the same shape as ~/.aws/credentials.
What protects it is Unix file permissions, enforced on every write (a loose umask
can't widen them):
- the directory
~/.ringtailis0700(only your user can enter it), - the file
credentials.jsonis0600(only your user can read or write it).
A root credential is stored once, globally โ the same Cloudflare token is reused across
every repo you set up, so it lives here rather than scattered per-project. Per-project values
(the keys Rocco mints for a specific app) go to that repo's .env.local and Infisical.
Anyone with local OS access to your user account โ or root on the box โ can read this file
directly. That is the OS's trust boundary, not the agent's: it's the same exposure as your
~/.aws, ~/.ssh, or ~/.config secrets. Ringtail's guarantee is that your coding agent
never sees these values (The guarantee); it is not a claim
to defend against a local attacker who already owns your machine.
What is not here
- No cloud copy. Ringtail has zero telemetry and no phone-home. The only network targets are the local daemon and the real provider APIs โ root keys never leave your disk except to the provider's own allowlisted host (Allowlist).
- No agent copy. The daemon holds the file; the agent orchestrates over MCP and receives key names and statuses only.
Revoke or remove your keys
There is no background service and no hidden state โ removing your keys is deleting a file:
# Remove everything Ringtail has stored (root keys + your account session).
rm ~/.ringtail/credentials.json
# Or remove the whole directory.
rm -rf ~/.ringtailThat erases Ringtail's copy. It does not invalidate the tokens at the provider โ Ringtail can't un-mint a key it handed you. To fully revoke a leaked or retired key, rotate or delete it in that provider's own dashboard (Cloudflare, Neon, Resend, โฆ), then re-run Ringtail to mint a fresh one.
To uninstall entirely: delete ~/.ringtail as above and remove the repo clone. Nothing is
installed globally, so there's nothing else to clean up.