Authentication
The CLI supports two authentication modes: interactive login for local development and CI tokens for automated pipelines. When DEPVAULT_TOKEN is set in the environment, the CLI uses it automatically and blocks interactive commands.
depvault login
Authenticate with your DepVault account. The CLI prompts for email and password, then stores JWT tokens in ~/.depvault/credentials.json.
depvault login| Flag | Description |
|---|---|
--email | Provide email non-interactively. |
--password | Provide password non-interactively. |
--server | Set the API server URL (persists to config). |
# Non-interactive login
depvault login --email user@example.com --password MyP@ssw0rd
# Connect to a self-hosted instance
depvault login --server https://api.example.comBlocked when
DEPVAULT_TOKENis set to prevent credential conflicts.
depvault logout
Deletes ~/.depvault/credentials.json. You must run depvault login again to re-authenticate.
depvault logoutdepvault whoami
Shows the current authentication state.
depvault whoami- Interactive mode — Displays email, name, and role.
- CI token mode — Confirms the token is set (masked).
- Not authenticated — Prompts to log in or set
DEPVAULT_TOKEN.
CI Token Mode
For CI/CD pipelines, use a project-scoped token instead of interactive login. See the CI/CD Integration guide for token generation, scoping, and pipeline examples.
export DEPVAULT_TOKEN=depvault_ci_xxxxxxxxxxxxxxxxxxxx
depvault ci pull --format env --output .envCredential Storage
| File | Contents | Created by |
|---|---|---|
~/.depvault/config.json | Server URL, active project, output format | config set, login --server |
~/.depvault/credentials.json | JWT access and refresh tokens | depvault login |
Never commit these files to version control.