Authentication¶
Authentication Methods¶
phyware supports two authentication methods:
| Method | Flag / Env | Best for |
|---|---|---|
| Device-code OAuth | phyware auth login | Interactive sessions |
| Personal Access Token (PAT) | --with-token / PHYCLOUD_API_KEY | CI/CD pipelines |
Device-Code Flow¶
The default interactive login uses the OAuth 2.0 device-authorization grant:
phyware auth login --host https://cloud.phyware.io
# Opens browser → user approves → token stored securely
The CLI polls the token endpoint until the user completes browser authorization. Tokens are stored in the platform credential store (see below).
Personal Access Token (PAT)¶
Generate a PAT in the PhyCloud web UI under Settings → API Keys, then:
# Pass via stdin (preferred in CI)
echo "$MY_PAT" | phyware auth login --with-token
# Or set the env var (not recommended for interactive shells)
export PHYCLOUD_API_KEY="phk_live_..."
phyware auth status
Environment Variables¶
Setting PHYCLOUD_API_KEY skips the credential store entirely — useful in ephemeral CI environments:
export PHYCLOUD_URL=https://cloud.phyware.io
export PHYCLOUD_API_KEY=phk_live_abc123
phyware cloud verify
Credential Store¶
On interactive hosts the CLI uses the OS credential store:
| Platform | Store |
|---|---|
| macOS | Keychain |
| Linux | libsecret / gnome-keyring |
| Windows | Windows Credential Manager |
Stored credentials are keyed by host URL, enabling multi-host sessions.
Multi-host Support¶
phyware auth login --host https://staging.phyware.io
phyware auth login --host https://prod.phyware.io
# Switch the active host
phyware auth switch --host https://prod.phyware.io
# Show which host is active
phyware auth status
Best Practices¶
- Use device-code login for human sessions; PAT for automation.
- Rotate PATs regularly and scope them to the minimum required permissions.
- Never commit tokens to source control — use
PHYCLOUD_API_KEYfrom a secrets manager. - In CI, prefer short-lived tokens with
phyware auth refreshto extend validity.