veirox login

Authenticate with Veirox via the OAuth device flow

Synopsis

veirox login [flags]

Description

Authenticate with an Veirox workspace.

The default mode runs the OAuth 2.0 device authorization grant: the CLI
prints a short user code, opens your browser to the consent page, and
polls until you click Approve. The minted `ops_k_…` API key is
stored in your OS keyring (Keychain / Secret Service / Credential
Manager); the matching profile is written to
`~/.config/veirox/config.toml`.

Pass --token to skip the device flow and provide an existing key
(useful for CI bootstrapping). Pass --rotate to invalidate your current
key and mint a fresh one with the same scopes.

Flags

FlagTypeDefaultDescription
--device-namestringdefaultDeviceName()device label visible in the consent UI + audit log
--no-openboolfalsedon't open the browser; print the URL only
--profilestringprofile name (default: derived from host)
--rotateboolfalserotate the existing profile's key (skips device flow)
--tokenstringskip device flow and use an existing ops_k_… key (read from $TOKEN if value is '-')
--workspacestringworkspace URL (HTTPS required for non-loopback)

Examples

veirox login --workspace https://veirox.acme.com --profile work
veirox login --rotate
veirox login --token ops_k_AbCd... --profile ci

Exit codes

CodeMeaning
0Success.
1Generic error (network, API 5xx).
2Validation error (bad flag, missing required arg).
3Unauthenticated — run veirox login or set VEIROX_API_KEY.
4Not found (resource does not exist in this project).
5Permission denied (your role / API key lacks the scope).

See also