Home / Features / CLI Auth
OAuth PKCE device flow SSO credentials profiles

CLI Auth

Stop rebuilding login for every CLI.

Beltline ships the auth foundation internal CLIs need: browser login, device flow fallback, secure credential storage, automatic token refresh, and named profiles.

Auth should be the first command users trust, not the first subsystem the team regrets.

CLI auth is easy in the happy path and painful everywhere else.

Local browser login works until someone is on SSH, Codespaces, WSL, CI, or a locked-down workstation. Then the CLI needs device flow, refresh tokens, keychain storage, fallback storage, profile switching, and helpful errors when any of it breaks.

Most teams discover this after they have already shipped a PKCE-only login that breaks for half their users.

Before and after Beltline

| Before | After Beltline | |--------|----------------| | One-off OAuth implementation per CLI | Browser and device flow, auto-detected | | Browser-only login | Works on SSH, Codespaces, and headless boxes | | Tokens copied into plain config files | OS keychain storage with encrypted fallback | | No account switching | Named profiles with --profile | | Refresh logic left to each team | Handled by the generated runtime | | Confusing SSH experience | Device flow falls back automatically |

Add auth in one command

beltline auth init oidc --provider okta

Generated CLI:

acme auth login

acme auth login --device

acme auth status

acme profile use staging

acme auth logout

Output:

email     maya@acme.com

profile   staging

org       Acme Platform

expires   in 47 minutes

storage   macOS Keychain

The same acme auth status --json returns a stable JSON envelope that scripts and CI can rely on — and it never includes the token itself.

What Beltline handles for you

Browser login for local machines PKCE loopback flow opens the browser, waits for the callback, and stores the token securely. Works for any OIDC provider.

Device flow for SSH and headless environments Detects the absence of a browser and falls back to device flow automatically — the same pattern used by aws sso login and gh auth login.

Profiles for staging, prod, and multiple accounts Named profiles work the way you would expect from aws or kubectl. Switch with --profile or ACME_PROFILE.

Credential storage designed for real developer machines Keychain on macOS, Credential Manager on Windows, libsecret on Linux. Encrypted file fallback for headless environments. The team never touches this code.

Auth context reused by CLI, MCP, and automation adapters Auth requirements are part of the shared command definition. The same login session powers the CLI, the MCP server, and any generated automation adapters.

Frequently asked questions

Does this support SSO? Yes. Beltline is designed around OIDC company-login patterns. Okta, Auth0, Entra ID, WorkOS, and any custom OIDC provider work with the same auth block.

Can users have multiple profiles? Yes. Each profile carries its own token, base URL, and overrides. Create as many as the team needs — staging, production, multiple orgs.

Can agents reuse the same auth context? Yes. Auth requirements live in the shared command definition, so the same context works for CLI commands, MCP tools, and automation adapters.

Does device flow work in Codespaces? Yes. Beltline detects SSH_CLIENT, the absence of xdg-open, and headless Linux, then picks device flow automatically.

Ready to ship a production CLI?

Get Beltline Read the docs
Other features
Distribution and Releases
Beltline starts generated CLIs with release-ready conventions — npm install path, single-binary build, shell completions, versioning, changelog, CI workflows, and private distribution patterns.
Internal CLI Framework
Beltline is a production foundation for branded internal CLIs — auth, profiles, config, API clients, JSON output, MCP export, automation adapters, and a release path included.
JSON Output and Errors
Beltline gives generated commands consistent human output, --json output, machine-readable errors, redaction conventions, and non-interactive modes.
MCP Server Generator
Beltline exports MCP tools from the same command definitions that power the CLI, so humans and agents share auth, inputs, outputs, and safety rules.
OpenAPI to CLI
Beltline imports an OpenAPI spec and generates resource commands, a typed API client, pagination, retries, JSON output, and examples — then lets you customize the TypeScript where it matters.
Profiles, Config, and Secrets
Beltline gives generated CLIs a consistent way to handle user config, project config, environment overrides, named profiles, and secure credential storage.
YAML Manifest
Beltline uses a readable YAML manifest to define commands, resources, auth, outputs, confirmations, and exported surfaces — with TypeScript handlers when custom logic is needed.
Zapier and Webhook Adapter
Beltline generates Zapier-style actions, searches, triggers, and webhook receivers from the same definitions behind the CLI and MCP tools.