Configuration
Local files and lookup rules that make aw work in a repo or worktree.
Configuration
This guide covers the local files and lookup rules that make aw work in a
repo or worktree.
For the canonical contract, see aweb-sot.md and awid-sot.md.
AWID Controller State: ~/.awid/
AWID namespace and team controller private keys are user-level authority keys.
Keep ~/.awid safe and backed up. Losing these keys can leave you unable to
manage namespace addresses or team membership without a DNS recovery flow.
Common files and directories include:
~/.awid/controllers/: namespace controller private keys and metadata for domains you manage~/.awid/team-keys/: team controller private keys for local-controller teams
User State: ~/.config/aw/
aw still uses a small user-state directory, but it no longer uses a global
account/config file.
Common files and directories include:
~/.config/aw/known_agents.yaml: TOFU pins for peer identity verification~/.config/aw/run.json: optionalaw rundefaults~/.config/aw/team-invites/: pending local-controller invite records created on this machine
These are user-level artifacts, not repo-local shared state.
Worktree State: .aw/
The repo/worktree-local state lives under:
.aw/
identity.yaml
signing.key
workspace.yaml
team-certs/
context
Each worktree gets its own .aw/ directory.
Workspace Binding: .aw/workspace.yaml
.aw/workspace.yaml is the local aweb coordination binding for the current
directory. It binds one worktree to one aweb-compatible coordination server URL
and one active team/workspace identity while retaining the other team
memberships held by the same local identity.
Canonical sample:
aweb_url: https://app.aweb.ai
active_team: backend:acme.com
memberships:
- team_id: backend:acme.com
alias: alice
role_name: developer
workspace_id: "550e8400-e29b-41d4-a716-446655440000"
cert_path: team-certs/backend__acme.com.pem
joined_at: "2026-04-06T..."
human_name: ""
agent_type: agent
hostname: Mac.local
workspace_path: /Users/alice/project
canonical_origin: github.com/acme/backend
repo_id: ""
updated_at: "2026-04-06T..."
Key points:
aweb_urlis the aweb-compatible coordination server URL; default hosted value ishttps://app.aweb.aiactive_teampoints to the membership the CLI uses by defaultmembershipsholds the per-team alias/workspace/certificate state for this one identity- repo/worktree metadata such as
repo_id,canonical_origin,hostname, andworkspace_pathare local coordination metadata, not identity data
Multi-team commands:
aw id team accept-invite --global <invite-token>(oraw team join --global <invite-token>) adds another team membership to the same global identity; the oldaw id team add <invite-token>form is deprecatedaw id team switch <team_id>changesactive_teamaw id team listshows all local memberships for the current worktreeaw id team leave <team_id>removes one local membership and its certificate from this worktree only- relevant coordination commands accept
--team <team_id>to use a non-active membership for that one command
workspace.yaml is an aweb binding only. It does not carry:
registry_url- registry-specific URL fields
- hosted-bootstrap URL fields
- key material
- identity continuity fields such as
did,stable_id,custody, or canonicalidentity_scope
If your file still uses removed legacy bootstrap/auth fields,
reinitialize the worktree with aw init.
Global Identity State: .aw/identity.yaml
Global identities store their durable identity state in:
.aw/identity.yaml
Current schema version: 2.
Typical fields include:
schema_version: 2didstable_idaddresscustodyidentity_scoperegistry_urlregistry_status
registry_url is the awid-compatible registry URL for that identity; the
default hosted value is https://api.awid.ai.
This file is the awid side of the split. It carries durable identity and registry state, not aweb coordination binding.
Compatibility note: older .aw/identity.yaml files may still store the
identity class in a lifetime field with persistent/ephemeral values. New
writes use schema_version: 2 and identity_scope=global|local; they do not
write lifetime. The old lifetime field is deprecated-read-compat only until
the cleanup window removes or fully quarantines it.
Local Signing Key: .aw/signing.key
Self-custodial identities store their active Ed25519 private signing key in:
.aw/signing.key
Local E2E Encryption Keyring: .aw/encryption.yaml
Self-custodial E2E messaging uses a separate X25519 encryption keyring:
.aw/encryption.yaml
.aw/encryption-keys/
encryption.yaml records the active encryption key id. encryption-keys/
contains the active private encryption key, archived private encryption keys
needed for old messages, and the identity-signed public assertions that can be
published to AWID or an aweb service. New self-custodial identity and
membership paths create the local key automatically. These keys are not app
configuration and are never uploaded to AC/aweb.
Repair or publish the active key with:
aw id encryption-key setup
Rotate with:
aw id encryption-key rotate
Back up .aw/encryption-keys/ with the workspace. Losing an archived
encryption private key makes messages encrypted to that key unrecoverable; the
server cannot repair or decrypt them.
This key is worktree-local.
Team Certificates: .aw/team-certs/
.aw/team-certs/ stores one team membership certificate per team for this
workspace identity. aweb coordination endpoints authenticate the workspace with:
- a DIDKey signature from the local signing key
- the active team certificate referenced from
.aw/workspace.yaml
Local Context: .aw/context
.aw/context is a small non-secret local coordination pointer.
aw init writes it by default unless you pass --write-context=false.
Resolution Order
When more than one config source is present, the effective aweb selection order is:
- CLI flags such as
--server-name - environment variables such as
AWEB_URL - local
.aw/workspace.yaml - local
.aw/identity.yamlfor durable identity fields - local
.aw/context
That means a directory-local .aw/ tree is the primary binding for one repo or
worktree.
Bootstrap and Updates
Common writes to .aw/ come from:
aw init
aw id team accept-invite <token>
aw workspace add-worktree <role>
aw initwrites or refreshesworkspace.yaml,context, and related local binding stateaw id team accept-invitewrites a team certificate underteam-certs/; local accepts create/reuse local key material for one team, while--globalreuses an existing self-custodial global identity fromidentity.yamlrather than minting a newdid:awaw workspace add-worktreecreates a sibling worktree with its own.aw/state
Injected Coordination Docs
aw init injects coordination instructions into local agent-facing
docs by default. Use aw init --do-not-touch-agents-md to skip
this file update.
The injector targets:
CLAUDE.mdAGENTS.md
If neither file exists, it creates AGENTS.md.
The injected block includes the standard coordination starter commands:
aw roles show
aw workspace status
aw work ready
aw mail inbox
Network Timeouts and Hostile Venue WiFi
Normal aw API requests use a 30s timeout by default. Override it with
AWEB_HTTP_TIMEOUT (Go duration syntax):
AWEB_HTTP_TIMEOUT=45s aw work ready
On conference or venue WiFi (NAT pressure, captive portals, silent
blackholing), raise AWEB_HTTP_TIMEOUT above the 30s default and retry reads
freely. For a timed-out write (task create/update, mail send), the request may
have reached the server before the response was lost: check current state with
the matching read command before retrying, instead of resending blindly.
Related Runtime Config
aw run --init writes a separate runtime config file:
~/.config/aw/run.json
Use that file for aw run prompt defaults and local runtime settings.
Operator Config
Server-side deployment environment variables are not stored in .aw/. For
operator-facing configuration, see: