# Amp (https://jackin.tailrocks.com/guides/authentication/agents/amp/)



Amp authenticates via `~/.local/share/amp/secrets.json` on your host (the file the Amp CLI writes the `apiKey@https://ampcode.com/` token into). In `sync` mode (the default), jackin❯ copies this file into the container on every launch — Amp inside the container sees the same account and model access you have locally.

<Aside type="note">
  `~/.config/amp/settings.json` is Amp's preferences file and never holds the authentication token. jackin❯ forwards `~/.local/share/amp/secrets.json`, not the preferences file.
</Aside>

## Logging in on the host [#logging-in-on-the-host]

Before sync can forward anything, you need a working Amp login on your host:

```bash
amp auth login
```

Follow the prompted flow. Once it completes, Amp is ready on your host and jackin❯ will forward that login into every container launch.

<Aside type="tip">
  To verify the host login is active, run `amp` briefly on the host — if it starts a session without prompting for credentials, you're good.
</Aside>

## Runtime trust prompts [#runtime-trust-prompts]

jackin❯ launches Amp with `--dangerously-allow-all`, so workspace-backed launches do not stop on command confirmation prompts. This applies only inside the jackin❯ container runtime; jackin❯ does not write Amp preferences on the host.

## Subscription [#subscription]

Amp does not require a separate subscription — access is included with your Sourcegraph account.

**[Get a Sourcegraph account](https://ampcode.com/)**

Sign up at ampcode.com. Amp is currently available as part of the Sourcegraph platform with no additional per-seat or per-token billing for agent usage. The account you have on the host is the one the container sees.

## Modes available [#modes-available]

| Mode             | Supported                                        |
| ---------------- | ------------------------------------------------ |
| `sync` (default) | Yes — forwards `~/.local/share/amp/secrets.json` |
| `api_key`        | Yes — injects `AMP_API_KEY`                      |
| `oauth_token`    | No — rejected at config time                     |
| `ignore`         | Yes — no forwarding                              |

See [Agent Authentication](/guides/authentication/agents/) for what each mode does and how to switch between them.

## Troubleshooting [#troubleshooting]

If Amp inside the container shows "Not logged in":

1. Check that the host login is active — run `amp` briefly on the host.
2. Open the **Auth** tab in `jackin console` and verify the effective mode for the (workspace × role × Amp) cell.
3. If the container has stale credentials and the host has fresh ones, restart: `jackin eject <role> && jackin load <role>`.
