Authentication
Log in to your AKOS workspace, manage provider credentials, store secrets in the vault, and provision integration connections.
The CLI authenticates to your AKOS workspace via a device-code OAuth flow. Once logged in, provider credentials and secrets are managed separately through the creds, vault, secrets, and connections commands.
Logging in
This starts a device-code flow:
- The CLI prints a verification URL and a short user code.
- Open the URL in a browser and enter the code.
- After approval, the CLI saves your session token locally and prints
Logged in as <userId>.
Login options
| Flag | Description |
|---|---|
--scope <scope> | OAuth scope (default: cli) |
--client-id <id> | Override the OAuth client ID |
CI environments
If the environment variable AKOS_TOKEN is already set, auth login exits immediately with a success message. Use this for non-interactive pipelines.
Checking your session
Prints Logged in as <userId> on tenant <tenantId> and confirms the workspace is reachable. Add --json for machine-readable output.
Switching tenants
When your account belongs to multiple tenants (OEM multi-tenancy), use the tenant commands to list and switch:
Lists all tenants your account can access. If you do not have the oem:tenant:admin role, the command falls back to reporting the current tenant.
Sets the active tenant. The new tenant ID is persisted to your local session and used for subsequent sidecar calls.
Logging out
Clears the locally stored session token. Safe to call when no session exists (idempotent).
Managing provider credentials
The creds command lists, verifies, and stores the API keys required by AI providers and integrations. Values are never printed.
List known providers
Shows each provider, its kind, and the vault keys it requires.
Filter by kind or provider:
Output as JSON:
Check credential presence
Scans the environment (and optionally a secrets file) for each required key. Exits with code 0 when all keys are present, code 7 when any are missing.
Set a credential
Interactive guided flow for storing a credential. Follows the same vault backend as vault put.
Onboarding guide
Print the full credential onboarding playbook:
Vault: workspace secrets
The vault command reads and writes secrets in the workspace vault. Secret values are never printed — only key names and their source are shown.
Store a secret
Scope the secret to a tenant instead of the workspace:
Scopes: workspace (default), tenant.
List stored secrets
Shows key names and their source (e.g. os-keychain). Add --json for machine-readable output.
Secrets: headless provisioning
The secrets command is a headless alternative to vault, operating through the running workspace sidecar. Use it when scripting in environments where the sidecar is already running.
Scope options (--scope workspace|tenant) work the same as vault put.
Integration connections
Integration connections link your workspace to external services (Slack, GitHub, Stripe, and others). Authentication always references a vault key — never a plaintext token.
Provision a connection
First, store the credential in the vault:
Then create the connection, referencing the vault key:
For integrations that require no auth:
Supported kinds: slack, github, linear, discord, email, cron, file, webhook, cdc, twilio, sentry, pagerduty, stripe, s3, mcp, llm.
List connections
Inspect a connection
Remove a connection
Removing a connection does not delete the underlying vault secret.