Authentication
How to set up authentication for the Ocuroot CLI
There are three ways to authenticate the Ocuroot CLI to a server:
-
Browser Login (Recommended for developers)
This opens your browser to complete authentication and stores the token in
~/.ocuroot/auth. Use this when:- You’re working on your development machine
- You want to use your personal account credentials
- You need access to all resources you have permission for
-
Repository-Specific Login (recommended for testing)
Similar to browser login, but stores the token in
.ocuroot/authwithin your repository. Use this when:- Different repositories need different access levels
- You’re collaborating on a project and want to keep auth separate
- You want to use different accounts for different repositories
-
Environment Variable (recommended for CI and other automation)
Set the
OCUROOT_API_KEYenvironment variable with your token. Use this when:- Setting up CI/CD pipelines
- Running in automated environments
- You need to temporarily override stored credentials
Common Scenarios
Local Development
For most development work, use browser login with global storage:
Multiple Projects
If you work on multiple projects with different access levels:
- Navigate to each project directory
- Run
ocuroot auth login --local - Use different accounts as needed
CI/CD Setup
For automated environments:
- Create a service account via the Ocuroot web UI
- Get an API key for the service account
- Set it as
OCUROOT_API_KEYin your CI environment variables
Temporary Override
To quickly test with different credentials:
This overrides stored credentials for just one command.
Managing Your Authentication
Check your current auth status:
Remove stored credentials:
Best Practices
- Use browser login for day-to-day development
- Set up repository-specific auth when working on multiple projects
- Use environment variables for CI/CD and automation
- Never commit
.ocuroot/authfiles to version control - Use service accounts with minimal permissions for automated tasks