Get started

Authentication

Log in and manage credentials for the Astro AI CLI and API
View as Markdown

Authentication links the CLI and API to your Astro AI account. You need it to push agents to the registry, access private deployments, and call protected endpoints. Sign in with ast login — an account is required. If you don’t have one, join the waitlist.

How it works

  1. You run ast login.
  2. The CLI shows you a short code (e.g. ABCD-EFGH) and a verification URL.
  3. You open the URL, enter the code, and sign in.
  4. The CLI polls until authentication completes, then stores the tokens.

Tokens are stored in the system keyring when available (macOS Keychain, Linux Secret Service, Windows Credential Manager). Otherwise they are stored in ~/.ast/credentials.json with restricted permissions.

CLI commands

CommandDescription
ast loginStart device flow and open browser to authenticate
ast login --no-browserPrint the verification URL instead of opening it
ast logoutClear stored credentials for the current profile
ast logout --allClear all stored credentials
ast whoamiShow current user and account info

Credential storage

  • Directory: ~/.astro/
  • File: credentials.json holds profile metadata. Tokens are in the keyring when available, or in this file as fallback.
  • Profile: Default profile is default. Use the --server flag on commands (e.g. ast push) to override the API server URL.

Token lifecycle

  • Access token — Short-lived (~1 hour), used for API requests.
  • Refresh token — Long-lived; used to obtain new access tokens.

The CLI refreshes the access token automatically when it is close to expiry.

API authentication

Authenticated API requests use a Bearer token in the Authorization header:

Authorization: Bearer <access_token>

Obtain the token via the CLI login flow or from your credential store.