CLI Authentication
Learn how the Kindship CLI authenticates with your account using secure OAuth with PKCE.
The Kindship CLI uses OAuth 2.0 with PKCE (Proof Key for Code Exchange) for secure authentication. This ensures your credentials are never stored in plain text.
How It Works
- CLI generates PKCE parameters — A cryptographic code verifier and challenge
- Browser opens for login — You authenticate using your existing Kindship account
- Secure callback — The auth code is exchanged for a CLI token
- Token stored locally — Credentials saved to
~/.kindship/config.jsonwith strict permissions
Login
kindship login
This opens your default browser to authenticate. If the browser doesn't open automatically, the URL is printed to the terminal.
Custom API URL
For development or self-hosted instances:
kindship login --api-url https://your-instance.com
Or set the environment variable:
export KINDSHIP_API_URL=https://your-instance.com kindship login
Token Management
Check Current Session
kindship whoami
Shows your authenticated email and active agent.
Logout
kindship logout
Revokes your current token.
Logout from All Devices
kindship logout --all
Revokes all tokens associated with your account.
Token Storage
Tokens are stored in ~/.kindship/config.json with 0600 permissions (read/write for owner only).
{
"token": "ksh_...",
"token_id": "uuid",
"token_expiry": "2025-02-02T...",
"user_id": "uuid",
"user_email": "[email protected]",
"api_base_url": "https://kindship.ai"
}
Token Expiration
CLI tokens expire after 14 days. When expired, simply run kindship login again. If you have an active browser session with Kindship, re-authentication is instant.
Security Best Practices
- Never share your token — Treat it like a password
- Use
kindship logout --all— If you suspect compromise - Check permissions — Ensure
~/.kindship/config.jsonhas0600permissions