Authentication

mycli supports two authentication modes:

• Interactive — email magic links via my cli login, for day-to-day use on a workstation.
• Non-interactive — myc_… API tokens via MY_API_TOKEN, for CI, scripts, and headless boxes.

Login flow

my cli login

1. The CLI prompts for your email address
2. A magic link is sent to your inbox via the device auth flow
3. Click the link to verify your email
4. The CLI receives a JWT token and stores it securely

Token storage

Auth tokens are stored in your operating system’s keyring (macOS Keychain, Linux Secret Service, Windows Credential Manager). If the keyring is unavailable, tokens fall back to ~/.my/credentials.json.

Check login status

my cli whoami

Shows your user ID and email if logged in.

Check overall status

my cli status

Shows the API URL, login state, last sync time, and cached command count.

Logout

my cli logout

Clears stored credentials from the keyring and local file.

Token refresh

Access tokens are short-lived JWTs that the CLI refreshes automatically — both reactively (on a 401) and proactively just before they expire. To keep sessions alive across long idle periods, the CLI also fires a silent refresh roughly once a week whenever you run any my command, and each refresh extends the session by another 30 days. In practice: if you use mycli at least every couple of weeks you should never need to log in again.

API tokens (for CI and scripts)

API tokens are long-lived bearer credentials prefixed myc_ that bypass the interactive login. They’re the right choice for CI jobs, deploy scripts, and any environment without a browser or inbox.

Create one

my cli token create ci-deploy
# Token: myc_3f12c4...
# Save this token — it won't be shown again.
# Use it with: export MY_API_TOKEN=<token>

Common flags:

• --expires-in 30d — give the token an expiry (d, h, y).
• --profile work — scope the token’s catalog reads to a specific profile.

Use one

Export the raw token; the CLI uses it as the Authorization: Bearer … header and skips JWT refresh entirely.

export MY_API_TOKEN=myc_3f12c4...
my library install kubernetes
my cli run deploy --env staging

Manage them

my cli token list                # see prefix + last-used + expiry (raw secret is never shown)
my cli token revoke ci-deploy    # prompts unless --force

Caution

Token-management routes (POST/GET/DELETE /v1/tokens) require JWT auth — an API token cannot mint or revoke another token. This is intentional: if a token leaks, the blast radius is limited to data access, not credential proliferation.

Limits

• 10 tokens per user. Revoke one before creating an 11th.
• Names ≤ 100 characters.
• Raw token is shown once at creation. It’s stored only as a SHA-256 hash on the server.

Working without an account

Tip

Many mycli features work without authentication:

• Sources — my source add/remove/list/update all work offline
• Run from file — my cli run -f command.yaml works locally without any network access

Only publishing commands to the registry requires authentication.

Next steps

CLI Reference: login Login command details.

CLI Reference: token Manage API tokens.

Profiles Scope libraries by workflow.

Environment Variables CLI and server configuration.