Skip to main content

Authentication

The CLI needs an API token to communicate with Envshed. There are two ways to authenticate.

Run the login command and follow the browser flow:

envshed login

This will:

  1. Open your browser to the Envshed authorization page
  2. Ask you to approve the CLI access
  3. Automatically save the token to ~/.envshed/config.json

If you're not logged into Envshed in the browser, you'll be redirected to sign in first, then brought back to the authorization page.

Custom API URL

If you're running Envshed locally or on a custom domain:

envshed login --api-url http://localhost:3000

Token-based login

If you already have an API token (created in the web dashboard under Settings > API Tokens):

envshed login --token envshed_your_token_here

Verify authentication

Check who you're logged in as:

envshed whoami

Managing tokens

envshed token show     # Show current token (masked)
envshed token clear    # Remove saved token
envshed token set <t>  # Set a new token directly

Service tokens (CI/CD)

For automated systems like CI/CD pipelines, Kubernetes, or other infrastructure, use service tokens instead of personal API tokens. Service tokens are tied to an organization (not a user), support scoped permissions, and continue working even if the creating user leaves the org.

# Create a read-only token scoped to a project, expiring in 90 days
envshed token create-service \
  -o my-org \
  -n "GitHub Actions CI" \
  -s project \
  --project-id <uuid> \
  -p read \
  --expires-in 90

You can also create and manage service tokens from the dashboard under Organization > Service Tokens.

See Service Tokens for full documentation.