Open App

Authentication

How the WyrdOS CLI authenticates, config precedence for tokens and base URLs, and how to log in, log out, and verify access.

The WyrdOS CLI authenticates using an API token and a base API URL. Both can be provided on the command line, via environment variables, or from stored configuration.

API tokens

The CLI uses a WyrdOS API token to authenticate requests.

  • Create or retrieve an API token from the WyrdOS web app (account or workspace settings, depending on your deployment).
  • Treat this token like a password: keep it secret and rotate it if it is ever exposed.

Token precedence

When a command needs a token, it resolves it in the following order:

  1. Explicit flag--token <token>
  2. Environment variableWYRDOS_API_TOKEN
  3. Stored config – value saved by wyrdos auth login

If no token is available from any of these sources, the CLI will fail with an authentication error.

Base URL precedence

Similarly, the CLI needs to know which WyrdOS deployment to talk to.

It resolves the base URL in this order:

  1. Explicit flag--base-url <url>
  2. Environment variableWYRDOS_API_BASE_URL
  3. Stored config – value saved by wyrdos auth login

For most users, the stored config is enough; the flags and environment variables are useful for CI or talking to multiple environments (e.g. staging vs production).

Login

wyrdos auth login walks you through logging in and saving credentials to a local config file (such as a file under your home directory). Once logged in:

  • the CLI will reuse the stored token and base URL for subsequent commands
  • you can override them at any time with flags or environment variables

The exact login flow depends on your WyrdOS deployment (for example, browser-based auth or a device code).

Logout

To remove stored credentials from your machine:

wyrdos auth logout

This does not revoke the token on the server, but it ensures the local CLI no longer uses it.

Check authentication

Use wyrdos auth check to verify that the CLI can authenticate and to see which workspace and scopes you currently have:

wyrdos auth check

This is a good smoke test for:

  • ensuring your token is valid
  • confirming you are talking to the correct base URL
  • debugging issues in CI where environment variables may be misconfigured

Security notes

  • Prefer environment variables or secure config files over hard-coding tokens in scripts.
  • Limit token scopes to the minimum needed for your use case.
  • Rotate tokens regularly and immediately if you suspect compromise.
  • Be careful when sharing command logs; redact tokens or any Authorization headers.
WyrdOS
Product
Resources
Connect
© 2026 Wyrdos
All rights reserved.