Are you an LLM? Read llms.txt for a summary of the docs, or llms-full.txt for the full context.
Skip to content

CLI Authentication

The CLI uses browser delegation for passkey authentication since terminals can't handle WebAuthn directly.

Login Flow

# Start login
pwm auth login you@example.com

This will:

  1. Create a temporary session on the server
  2. Open your browser to complete passkey auth
  3. Poll until authentication completes
  4. Store the session token locally

Login Command

# Login with email
pwm auth login you@example.com
 
# Output:
# Opening browser for passkey authentication...
# Waiting for authentication...
# ✓ Logged in as you@example.com

Logout

# Clear local session
pwm auth logout
 
# Output:
# ✓ Logged out successfully

Check Status

# View current session
pwm auth status
 
# Output (logged in):
# ✓ Logged in as you@example.com
# Session expires: 2026-01-21T06:00:00Z
 
# Output (not logged in):
# ✗ Not logged in

Session Storage

Sessions are stored in ~/.pwm/config.json:

{
  "apiUrl": "https://vault-api.oxc.sh",
  "token": "abc123...",
  "userId": "user-id-123",
  "email": "you@example.com"
}

Session Expiry

  • Sessions expire after 7 days
  • Re-authenticate with pwm auth login
  • Expired sessions are automatically cleared

Custom API URL

Override the API URL for development:

export PWM_API_URL=http://localhost:8787
pwm auth login dev@example.com

Or edit ~/.pwm/config.json:

{
  "apiUrl": "http://localhost:8787"
}

Browser Delegation

Why does the CLI open a browser?

  1. WebAuthn Requirement: Passkeys require a browser context
  2. Security: Your biometric data never touches the terminal
  3. Compatibility: Works with any passkey provider

The browser session is temporary (5 minutes) and single-use.