Docs/CLI authentication
#

CLI authentication

Authenticate the CLI with your org.

Two ways in: an interactive browser-approved login for your own terminal, and API keys for anything non-interactive — CI runners, scripts, and headless agents.

01Interactive: cofactor login

bash
cofactor login

This opens your browser to approve the session. Once you approve, the CLI saves an org-scoped token to ~/.config/cofactor-cli/auth.json and every subsequent command uses it — no per-command auth.

Approving a CLI login session in the browser

Belong to more than one organization? List them and pick:

bash
cofactor orgs
cofactor login --org "Acme"

02Non-interactive: API keys

For CI and other headless contexts, create an API key in Settings → API Keys and provide it as an environment variable:

bash
export COFACTOR_API_TOKEN=<your-api-key>
cofactor test-suite run   # no login needed

COFACTOR_API_URL overrides the API endpoint when you need to target a non-default environment. Individual commands also accept --token and --api-url flags for one-off overrides, but the environment variables are the right shape for CI secrets.

See API keys for scoping and rotation.

03When something's off: cofactor auth doctor

bash
cofactor auth doctor

Diagnoses the usual suspects — missing or expired token, corporate proxies intercepting TLS, wrong API URL — and tells you which layer is broken instead of leaving you to bisect it.

04Next steps