CLI authentication
Authenticate the CLI with your org.
Two ways in: an interactive browser-approved login for your own terminal, and API keys for anything non-interactive — CI runners, scripts, and headless agents.
01Interactive: cofactor login
cofactor login
This opens your browser to approve the session. Once you approve, the CLI saves an org-scoped token to ~/.config/cofactor-cli/auth.json and every subsequent command uses it — no per-command auth.
Belong to more than one organization? List them and pick:
cofactor orgs cofactor login --org "Acme"
02Non-interactive: API keys
For CI and other headless contexts, create an API key in Settings → API Keys and provide it as an environment variable:
export COFACTOR_API_TOKEN=<your-api-key> cofactor test-suite run # no login needed
COFACTOR_API_URL overrides the API endpoint when you need to target a non-default environment. Individual commands also accept --token and --api-url flags for one-off overrides, but the environment variables are the right shape for CI secrets.
See API keys for scoping and rotation.
03When something's off: cofactor auth doctor
cofactor auth doctor
Diagnoses the usual suspects — missing or expired token, corporate proxies intercepting TLS, wrong API URL — and tells you which layer is broken instead of leaving you to bisect it.
04Next steps
- Using the CLI in CI — wiring auth and suite runs into a pipeline
- Command reference — everything the CLI can do