Authentication
Every CLI command that talks to the Flui API does so with a long-lived
M2M API key stored in the active profile. flui auth login is the
command that produces it: a browser-based OIDC flow against the
identity provider that runs inside your installation, mints an API key,
and saves it in the active profile. The CLI never holds a password.
flui auth login
The interactive path. The CLI opens a browser, runs an OIDC code-with-PKCE flow against the installation’s identity provider, then uses the resulting access token to mint an API key and saves it in the active profile.
flui auth login # opens a browserflui auth login --headless # prints the authorization URL insteadflui auth login --key-name my-laptop| Flag | Description |
|---|---|
--headless | Print the authorization URL instead of opening a browser. |
--key-name <name> | Name attached to the generated API key (shown later in dashboard listings). Default: cli. |
After login, every CLI command that hits the API uses the saved key
transparently — no further prompts. The key is long-lived; rotating
means running flui auth login again.
About the OAuth callback
The CLI listens for the OIDC redirect on http://localhost:8899, with
fallbacks through 8900, 8901, 8902, 8910. The login flow has a
120-second window between opening the URL and receiving the callback.
Environment variables
| Variable | Effect |
|---|---|
FLUI_API_KEY | Override the API key used by the current invocation. The API URL still comes from the active profile. |
FLUI_PROFILE | Active profile selector — see Profiles and config. |
The full inventory of FLUI_* variables is in
Environment variables.