Authentication
Manage login, logout, profiles, and session inspection with the pentest-agent auth commands.
The auth command group manages login, logout, profiles, and session inspection.
auth login
Authenticate interactively via the browser, or store a token directly.
pentest-agent auth loginWhat happens:
- The CLI starts a device authorization flow.
- A verification URL and one-time code are printed to stderr.
- You open the URL in your browser and enter the code.
- The CLI polls until authentication completes and stores the token.
Options
| Option | Description |
|---|---|
--token <jwt> | Store a JWT access token directly, skipping the browser flow. |
--token-stdin | Read the JWT from stdin. Cannot be combined with --token. |
--open-browser | Attempt to open the verification URL in your default browser automatically. |
Examples
# Interactive browser flow
pentest-agent auth login
# Interactive with auto-open
pentest-agent auth login --open-browser
# Store a token directly
pentest-agent auth login --token eyJhbGci...
# Pipe a token from a secret manager
vault kv get -field=token secret/pentest-agent | pentest-agent auth login --token-stdin
# Authenticate into a specific profile
pentest-agent auth login --profile stagingauth device start
Start a device authorization flow and return the verification details. This is the first half of a two-step scripted auth flow — useful for CI/CD pipelines and automation tools that handle the browser step separately.
pentest-agent auth device start --jsonOutput:
{
"deviceCode": "abc123...",
"userCode": "WXYZ-1234",
"verificationUri": "https://auth.redveil.ai/activate",
"verificationUriComplete": "https://auth.redveil.ai/activate?user_code=WXYZ-1234",
"interval": 5,
"expiresIn": 600,
"expiresAt": "2026-03-10T12:10:00.000Z"
}auth device poll
Poll an in-progress device authorization until the user completes sign-in, then store the resulting token.
pentest-agent auth device poll --device-code <code> --expires-in 300Options
| Option | Required | Description |
|---|---|---|
--device-code <code> | Yes | The deviceCode returned by auth device start. |
--interval <seconds> | No | Polling interval in seconds. Defaults to 5. |
--expires-at <timestamp> | No | Absolute expiration as milliseconds since epoch or an ISO-8601 string. |
--expires-in <seconds> | No | Seconds until the device code expires. Defaults to 300 if neither expiration option is given. |
auth logout
Clear the stored token from the active profile.
pentest-agent auth logoutOptions
| Option | Description |
|---|---|
--all | Clear tokens from every saved profile. |
auth status
Show whether the current profile is signed in, and display the authenticated user and organization.
pentest-agent auth statusTTY output:
Signed in as user@example.com in Acme Corp.JSON output:
{
"authenticated": true,
"user": "user@example.com",
"organization": "Acme Corp",
"sessionExpiresAt": "2026-03-11T00:00:00.000Z"
}auth whoami
Alias for auth status.
pentest-agent auth whoamiauth profiles
List all saved auth profiles with their status.
pentest-agent auth profilesOutput columns: name, active, signedIn, sessionExpiresAt, lastAuthenticatedAt, lastValidatedAt.
auth use
Switch the active profile.
pentest-agent auth use <profileName>The profile must already exist in the config file (created automatically the first time you auth login --profile <name>).