Authentication

The CLI supports two ways to authenticate: an interactive browser flow for your laptop, and a token for CI and headless environments. Both store credentials per API host, so you can be logged into production and a self-hosted instance at the same time.

Interactive login (device flow)

On your own machine, just run:

yofix login

This starts an OAuth 2.0 device flow, the same pattern gh uses:

1. The CLI prints a one-time code and a verification URL.
2. It opens your browser to that URL (pass --no-browser to print it instead).
3. You confirm the code in the browser.
4. The CLI exchanges the code for a session and stores it.

First copy your one-time code: WDJB-MJHT
Then authorize this device at: https://app.yofix.ai/cli?code=WDJB-MJHT
✔ Logged in as [email protected] (team: acme)
Credentials stored for https://app.yofix.ai.

Device-flow sessions refresh silently in the background, so a single yofix login keeps you signed in for weeks rather than minutes.

To re-authenticate as a different user without clearing a lingering $YOFIX_TOKEN, force the browser flow:

yofix login --device

Token login

To log in with a token instead of a browser, generate one in the dashboard under Settings → Tokens, then:

yofix login --token yf_xxxxxxxxxxxxxxxx

The token is validated against the API before it is stored.

Authenticating in CI

CI has no browser, so use a token. Set it as an environment variable rather than passing --token on the command line, so it never appears in process lists or shell history:

export YOFIX_TOKEN=yf_xxxxxxxxxxxxxxxx
yofix deploy --prod --no-wait

Every command reads YOFIX_TOKEN automatically. If you must pass a token inline, the --token flag takes precedence over the environment variable.

Caution

Running yofix login with --no-input (and no token) fails fast, because the device flow needs a browser. In CI, always provide YOFIX_TOKEN or --token.

See Use the CLI in CI for a full GitHub Actions example.

Where credentials are stored

Tokens are written to your OS keychain when one is available, falling back to ~/.yofix/config.json with file mode 0600. Credentials are keyed by API host, so logging into a self-hosted instance with --host does not overwrite your SaaS session.

Identity and teams

yofix whoami                   # active user, team, and host
yofix switch acme              # set the active team for future commands
yofix logout                   # clear credentials for the current host

Scope a single command to a different team without switching:

yofix deploy --team acme

Next

• Deploy from your machine
• Identity and linking reference