CLI Authentication
How the MyClaude CLI authenticates via PKCE S256 browser flow, stores credentials securely, and manages sessions.
The MyClaude CLI authenticates via a secure PKCE S256 browser flow. No passwords are entered in the terminal. Tokens are stored in the OS keychain when available, with a file fallback.
How authentication works
When you run myclaude login, the following sequence occurs:
- The CLI generates a cryptographic state parameter (256-bit random) and a PKCE code verifier/challenge pair (S256).
- It opens your browser to
myclaude.sh/cli/authwith the state and code challenge as URL parameters. - You authenticate in the browser using MyClaude's web authentication (the same sign-in flow as the website).
- The browser posts your tokens and code challenge to the server.
- The CLI polls the server with the state and code verifier.
- The server verifies
SHA-256(verifier) == stored challengeand returns your tokens. - Tokens are stored locally in the OS keychain or file fallback.
The entire flow completes without any passwords entering the terminal. The PKCE binding prevents token interception even if the state parameter were leaked.
Logging in
myclaude loginThe CLI opens your default browser. Complete sign-in there, then return to the terminal. On success:
Authenticated as @your-username
Session stored at ~/.myclaude/credentialsIf you do not yet have a MyClaude account, run myclaude register or create one at myclaude.sh.
What gets stored
| Data | Location | Encrypted | Persistence |
|---|---|---|---|
| Refresh token | OS keychain | Yes (OS-level encryption) | Until logout or expiry |
| ID token | In-memory only | N/A | Discarded after each command |
| UID, email, username | ~/.myclaude/config.json | No (non-sensitive metadata) | Until logout |
The refresh token is stored under the service name vault-marketplace in your OS keychain. On systems where the keychain is unavailable, the CLI falls back to ~/.myclaude/credentials with chmod 600 permissions and prints a warning.
Token lifecycle
Refresh tokens
Refresh tokens are silently exchanged for a fresh ID token on every command invocation. The exchange uses jitter to prevent thundering-herd patterns. If the refresh fails (token expired, revoked, or network error), the CLI clears stored credentials and prompts you to log in again.
ID tokens
ID tokens are short-lived (1-hour expiry) and exist only in process memory. When the command exits, the ID token is gone.
Token refresh flow
Command invoked
→ Read refresh token from keychain (or file fallback)
→ Exchange for fresh ID token (with jitter)
→ Use ID token for all API calls
→ Command exits, ID token discardedNon-interactive authentication for CI/CD
In CI/CD environments, use the MYCLAUDE_TOKEN environment variable:
export MYCLAUDE_TOKEN=eyJhbGciOiJSUzI1NiJ9...
myclaude publishWhen MYCLAUDE_TOKEN is set, the CLI skips the keychain entirely and uses the provided token directly. Store the token as a secret in your CI provider (GitHub Actions secrets, GitLab CI variables, etc.).
CI/CD example with GitHub Actions
name: Publish to MyClaude
on:
push:
tags: ["v*"]
jobs:
publish:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: "22"
- run: npm install -g @myclaude-cli/cli
- run: myclaude publish
env:
MYCLAUDE_TOKEN: ${{ secrets.MYCLAUDE_TOKEN }}Session management
Check current session
myclaude whoamiReturns exit code 0 on success and 2 if no valid session exists. Use in scripts:
myclaude whoami || myclaude loginLog out
myclaude logoutDeletes the refresh token from the OS keychain and removes credentials. No network request is made — the logout is local only.
Security considerations
No passwords in the terminal. The PKCE browser flow means credentials are only ever entered in the browser, protected by the same security as web authentication.
PKCE S256 binding. Even if the state parameter were leaked, an attacker cannot exchange it for tokens without the code verifier, which never leaves the CLI process.
Keychain encryption. On macOS, tokens use macOS Keychain (encrypted with your login password). On Windows, Credential Manager. On Linux, Secret Service API (GNOME Keyring or KWallet).
One-time retrieval. Server-stored tokens are deleted after the first successful retrieval by the CLI. They cannot be replayed.
5-minute TTL. If the browser flow is not completed within 5 minutes, the server-side tokens expire automatically.
Troubleshooting
| Symptom | Cause | Solution |
|---|---|---|
Error: not authenticated | No stored credentials | Run myclaude login |
Error: session expired | Token expired | Run myclaude login to create a new session |
Error: keychain access denied | OS keychain locked | Unlock your keychain or check permissions |
Warning: keychain unavailable | No OS keychain (headless/container) | Expected in CI/CD. Use MYCLAUDE_TOKEN |
| Browser does not open | CLI cannot launch browser | Copy the URL from terminal output and open manually |
myclaude whoami shows wrong account | Logged in as different user | Run myclaude logout then myclaude login |
| Token works locally but fails in CI | MYCLAUDE_TOKEN not set | Verify the secret is injected correctly |
Related pages
- CLI Installation — install the CLI and run your first login
- CLI Commands Reference — full reference for all 29 commands
- CLI Configuration — config files and paths