CLI Login

The rstream CLI authenticates by storing an authentication token in its local configuration. Once authenticated, the CLI can access the Control plane API to list projects and create contexts, and it can present the same token to the engine when opening tunnels.

The hosted platform supports two ways to authenticate the CLI: a browser-based flow initiated by the CLI, and a manual flow where a token created in the Dashboard is provided to the CLI. Both methods converge to the same outcome: a token stored locally and selected automatically by most CLI commands.

Browser-based login

Run:

rstream login

The CLI prints a URL and attempts to open it in a browser. After signing in and approving the request, the CLI receives a token and writes it to the local configuration.

The browser flow requests a fixed set of permissions for the CLI login session.

When Codex has been configured with rstream codex setup, the local MCP server can start the same flow with rstream_auth_start and complete it with rstream_auth_poll. The MCP login flow uses the normal CLI setup permissions by default, and agents can request an explicit permissions array only when a user-approved workflow needs broader access. It returns the approval URL to Codex; a separate code is only returned when the provider cannot embed it in that URL. The approved token is written directly to the CLI config and is not returned through MCP.

Manual token login

For automation, or when browser approval is not possible, create a token in the Dashboard and provide it to the CLI.

A token can be passed as a positional argument:

rstream login <token>

The token can also be provided through flags when the value should not appear in shell history:

printf "%s" "$RSTREAM_AUTHENTICATION_TOKEN" | rstream login --token-stdin

rstream login --token-file /path/to/token.txt

The token input flags are mutually exclusive. When multiple sources are available, the CLI uses a precedence order and ignores lower-priority sources.

Logging out

To remove the stored token, run:

rstream logout

This clears the token from the selected environment in the local configuration.

Account-wide login and project contexts

A CLI login session is account-wide: it grants access to all projects available to the authenticated account. The usual workflow is to authenticate once, then select a project with rstream project use and work within that project. In a Codex session, rstream_runtime_prepare is the equivalent preparation step when a project context is missing or stale; it repairs the local context from the stored login token and does not mint a short-lived delegated token.

For devices, CI, and other project-scoped environments, a dedicated context with a project-scoped token is often preferable. The CLI Workflow page explains the differences and the recommended patterns.