> ## Documentation Index
> Fetch the complete documentation index at: https://docs.sault.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Pairing

> Two ways to attach an agent to SAULT.

Pairing means the agent has an authorised key and knows how to use it. SAULT supports two paths.

## Path A — agent-initiated pairing (recommended)

The agent runs `sault login` (CLI) or calls `sault_login` (MCP). SAULT returns an `approveUrl` and a short `verificationCode`. The builder opens the URL, signs in, and types that code to approve.

<Steps>
  <Step title="Agent requests pairing">
    ```bash theme={null}
    npx -y @sault.ai/cli@latest login
    ```

    Prints an `approveUrl` and an 8-character `verificationCode` to stderr, then long-polls on stdout.
  </Step>

  <Step title="Builder approves">
    Opens the URL, signs in at app.sault.ai, picks a vault, and sets the agent's limits.

    To approve, the builder types the verification code shown in the terminal into the approve page. The server never sends that code to the browser — being able to type it is what proves the person approving is the one who started the pairing.
  </Step>

  <Step title="Agent receives the key">
    Once approved, the CLI / MCP receives the key, writes it to `~/.sault/config.json` (CLI) or binds it to the session (MCP), and the next command works.
  </Step>
</Steps>

Best for: when the agent is already running and the builder wants full control over the limits.

## Path B — use an existing key

If you already have a key from the console:

```bash theme={null}
# CLI
npx -y @sault.ai/cli@latest pair --key sault_ak_...

# MCP
sault_pair({ "apiKey": "sault_ak_..." })
```

Skips the browser flow. The CLI also reads a `SAULT_API_KEY` environment variable if one is set, which is handy for deploy environments.

## Verification code — why it matters

The code is shown **only in your terminal**. You type it into the approve page yourself; the server never puts it in the browser. So being able to enter it proves you are the one who started the pairing — not someone who sent you an approve link.

If you don't see a code in your terminal, don't approve — that's a sign of a phishing attempt. Close the page and run `sault login` again.
