Authentication

OAuth2 PKCE flow against your home tenant. Tokens are stored locally on your machine (~/Library/Preferences/orion-cli-nodejs/ on macOS, ~/.config/orion-cli-nodejs/ on Linux, %APPDATA%\orion-cli-nodejs\ on Windows).

• orion login
• orion logout
• orion auth status
• orion auth whoami
  • Flags
  • When whoami and status disagree

orion login

Open your browser, sign in to authorize the CLI; the CLI catches the callback and stores your tokens locally.

orion login

⠋ Opening browser for authentication...
✓ Successfully logged in!
Credentials stored in ~/Library/Preferences/orion-cli-nodejs/config.json

The CLI requests the developer and develop:apps scopes. Token TTL is set by the server (typically 30 days for the developer Passport client); refresh tokens are stored alongside.

orion auth login is an alias.

orion logout

Wipe stored credentials.

orion logout

orion auth logout is an alias.

---

orion auth status

Local view of stored credentials and the working-directory config — does not call the server. Prints two sections: stored credentials from your platform's Conf directory, then the values resolved from ./orion.config.ts.

orion auth status

Stored credentials
  source:        /Users/you/Library/Preferences/orion-cli-nodejs/config.json
  status:        active — expires in 29d 23h
  expires_at:    2026-06-12T18:42:11.000Z
  scope:         developer develop:apps
  access_token:  eyJh…sQp4
  refresh_token: def5…a91c

Working directory config (orion.config.ts)
  clientId:      <your-client-id>
  tenantUuid:    00000000-0000-0000-0000-000000000000
  host:          https://your-tenant.staging.orionsoftware.io

Useful when:

• You're not sure if you're logged in but don't want to wait on a network round-trip.
• You want to confirm what scope your stored token claims (versus what the server actually granted).

orion auth whoami

Asks the server who you are using your stored token. Confirms the token is still valid, shows what scopes the server actually granted, and reports the role and email Orion has on file for you.

orion auth whoami

You are:
  id:       <your-user-id>
  name:     Your Name
  email:    you@example.com
  role:     tenant-user
  scopes:   developer, develop:apps
  expires:  29d 23h

Flags

Flag	Purpose
--json	Emit the raw response. Useful when scripting against the same data the CLI sees.

When whoami and status disagree

• status says active, whoami says 401: the server is no longer accepting your token. Most often the token was revoked or your account permissions changed. Run orion logout && orion login to refresh. See also Troubleshooting → Token rejected after login.
• status says expired, whoami succeeds: the local token expired but the refresh token still works. The CLI auto-refreshes on first use; the next status call will show the renewed expiry.