Configuration
API key setup, environment variables, plugin settings, and managing the plugin
Configuration
ArmorClaude ships with one configurable knob: your ArmorIQ API key. Everything else is hardcoded to the value we've tested as the right default. If you need a different behavior, you can edit scripts/lib/config.mjs in the plugin's install directory - that file is the config.
Authentication
ArmorClaude requires an ArmorIQ API key. The key unlocks audit logs, signed tokens, and dashboard visibility, and is required for the plugin to evaluate tool calls.
Via Installer (recommended)
The installer prompts "Connect your ArmorIQ account now?" and runs the OAuth Device Code flow against the ArmorIQ backend. It opens your browser, you click Authorize, and the key is saved automatically.
Via Plugin UI (anytime)
Inside Claude Code:
/pluginSelect armorclaude → Configure → paste your API key into the ArmorIQ API Key field. The value is stored in the system keychain (or ~/.claude/.credentials.json on systems without one).
Via CLI
If you have the armoriq CLI installed (the installer adds it):
armoriq login # browser-based OAuth, saves key
armoriq whoami # check current auth
armoriq logout # clear credentialsVia Environment Variable
export ARMORIQ_API_KEY=ak_live_...Resolution Order
ArmorClaude looks for the API key in this order:
- Plugin userConfig (from
/plugin→ Configure) ARMORIQ_API_KEYenvironment variable~/.armoriq/credentials.json(written byarmoriq login)
If no key is found, the plugin refuses to evaluate and Claude Code surfaces a "no credentials" error. Run armoriq login to recover.
Plugin Settings
The plugin UI surfaces a single field. Configure via /plugin → armorclaude → Configure:
| Setting | Type | Description |
|---|---|---|
ArmorIQ API Key (api_key) | string, sensitive | Your ArmorIQ API key. Required. Get one at https://armoriq.ai. |
Everything else is intentionally not exposed. Identity (llm_id, user_id, agent_id, context_id), behavior toggles (mode, intent_required, crypto_policy_enabled), tuning numbers (token validity, refresh threshold, timeouts, retries), and CSRG verification are all hardcoded to the values we've tested as correct.
Environment Variables
Most env vars from earlier releases have been removed in favor of hardcoded defaults. The ones below still influence behavior:
| Variable | Default | Description |
|---|---|---|
ARMORIQ_API_KEY | (none) | Legacy fallback for the userConfig API key field |
ARMORCLAUDE_DATA_DIR | injected by Claude Code (~/.claude/plugins/data/armorclaude-armoriq) | Override the plugin's data + runtime location. Falls back to ~/.claude/armorclaude when the plugin runs outside Claude Code (tests, manual node). |
ARMORCLAUDE_POLICY_FILE | <dataDir>/policy.json | Override the policy file path |
ARMORCLAUDE_RUNTIME_FILE | <dataDir>/runtime.json | Override the runtime state path |
ARMORCLAUDE_DEBUG | false | Print plugin trace logs to stderr |
CLAUDE_CODE_SESSION_ID | (injected by Claude Code) | Per-session routing (not user-set) |
If you previously set variables like ARMORCLAUDE_MODE, ARMORCLAUDE_INTENT_REQUIRED, ARMORCLAUDE_VALIDITY_SECONDS, or CSRG_VERIFY_ENABLED, they are no longer read. The plugin uses the tested-good defaults for all behavior toggles. To customize, edit scripts/lib/config.mjs in the plugin's install directory.
Managing the Plugin
claude plugin list # verify installed + enabled
claude plugin disable armorclaude # turn off temporarily
claude plugin enable armorclaude # turn back on
claude plugin update armorclaude # update to latest version
claude plugin uninstall armorclaude # remove completelyFull Uninstall
claude plugin uninstall armorclaude removes the plugin code but does NOT delete the data Claude Code wrote on your behalf (runtime state, policy file, audit WAL, credentials).
The one-liner uninstaller mirrors the installer - it walks every state location, prompts before each destructive step, and verifies the result:
curl -fsSL https://armoriq.ai/uninstall_armorclaude.sh | bashSafe by default: credentials (~/.armoriq) and the global @armoriq/sdk CLI are kept unless you explicitly approve removal. Dry-run mode is available:
ARMORCLAUDE_UNINSTALL_DRY_RUN=true \
bash <(curl -fsSL https://armoriq.ai/uninstall_armorclaude.sh)For CI or scripted teardown:
ARMORCLAUDE_UNINSTALL_FORCE=true \
ARMORCLAUDE_UNINSTALL_REMOVE_CREDS=true \
ARMORCLAUDE_UNINSTALL_REMOVE_CLI=true \
bash <(curl -fsSL https://armoriq.ai/uninstall_armorclaude.sh)Manual cleanup
If you prefer to do it by hand, the script just runs these:
# 1. Plugin code + marketplace registration
claude plugin uninstall armorclaude # remove the installed plugin
claude plugin uninstall armorclaude-dev 2>/dev/null # the dev variant, if installed
claude plugin marketplace remove armoriq
# 2. Plugin cache (downloaded plugin source)
rm -rf ~/.claude/plugins/cache/armoriq
# 3. Plugin DATA (per-variant - each variant gets its own dir)
rm -rf ~/.claude/plugins/data/armorclaude-armoriq # prod variant data
rm -rf ~/.claude/plugins/data/armorclaude-dev-armoriq # dev variant data, if present
# 4. Legacy fallback dataDir (if you ever ran the plugin outside Claude Code)
rm -rf ~/.claude/armorclaude
# 5. Daemon state + audit WAL (if you used daemon mode)
rm -rf ~/.config/armorclaude
# 6. ArmorIQ credentials (shared with the armoriq CLI - keep these if you still use the CLI)
rm -rf ~/.armoriqVerify cleanup:
ls -d ~/.claude/armorclaude ~/.config/armorclaude ~/.armoriq 2>&1 | grep -v "No such"
ls -d ~/.claude/plugins/data/armorclaude* 2>&1 | grep -v "No such"
# Both should print nothing.Optionally also remove the CLI if you no longer want it:
npm uninstall -g @armoriq/sdkWhy isn't this automatic?
Claude Code plugins don't have a post-uninstall hook today. The plugin's runtime isn't running when claude plugin uninstall executes, so it can't clean up its own data. That's a Claude Code limitation, not an ArmorClaude design choice - we document the cleanup so you can be explicit when you want a clean slate.