@electric-sql/cli/skills/auth/SKILL.md

CLI for Electric Cloud

---
name: auth
description: >
  Authentication patterns for the Electric Cloud CLI. Three auth methods
  (--token flag, ELECTRIC_API_TOKEN env var, browser OAuth login), API token
  creation with scoped permissions, CI/CD non-interactive setup, token
  lifecycle (create, list, revoke), JWT expiry handling, and the auth
  resolution order.
type: core
library: electric-cli
library_version: "0.0.8"
requires:
  - getting-started
sources:
  - "electric-sql/electric:packages/cli/src/auth.ts"
  - "electric-sql/electric:packages/cli/src/config.ts"
  - "electric-sql/electric:packages/cli/src/commands/auth/login.ts"
  - "electric-sql/electric:packages/cli/src/commands/auth/token/create.ts"
---

This skill builds on electric-cli/getting-started. Read it first for setup basics.

# Electric Cloud CLI — Authentication

Three auth methods, checked in order: `--token` flag, `ELECTRIC_API_TOKEN` env
var, stored JWT from browser login. Use browser login for interactive work, API
tokens for CI/CD and scripts.

## Setup

```bash
# Interactive login — opens browser, stores JWT at ~/.config/electric/auth.json
electric auth login

# Check current auth context
electric auth whoami

# Create a scoped API token for automation
electric auth token create \
  --name "ci-deploy" \
  --scopes v2:services:read,v2:services:write
```

## Core Patterns

### CI/CD pipeline authentication

Use API tokens in CI — never browser login:

```bash
# In your CI environment
export ELECTRIC_API_TOKEN=sv_live_...

# All commands now authenticate via the token
electric services create postgres \
  --environment "$ENV_ID" \
  --database-url "$DATABASE_URL" \
  --region us-east-1 \
  --wait
```

API tokens are bound to a workspace, so workspace resolution is automatic.

### Scoped tokens with least privilege

Available scopes: `v2:projects:read`, `v2:projects:write`,
`v2:environments:read`, `v2:environments:write`, `v2:services:read`,
`v2:services:write`, `v2:services:secrets`, `v2:tokens:read`, `v2:tokens:write`.

```bash
# Read-only token for monitoring
electric auth token create \
  --name "monitor" \
  --scopes v2:services:read,v2:projects:read

# Deploy token that can create/update services but not delete projects
electric auth token create \
  --name "deployer" \
  --scopes v2:services:read,v2:services:write,v2:environments:read,v2:environments:write
```

The token value is shown once at creation. Store it securely — it cannot be
retrieved again.

### Token lifecycle management

```bash
# List all tokens in the workspace
electric auth token list

# Revoke a compromised or unused token
electric auth token revoke tok_abc
```

### Direct signup-to-token URL

New users can sign up and land directly on the token creation page:

```
https://dashboard.electric-sql.cloud/?intent=create&resource=token
```

This is useful in onboarding flows, README quick-starts, or agent-guided setup
where the user needs an API token immediately after creating an account.

### One-off commands with explicit token

```bash
# Use a different token for a single command without changing env
electric projects list --token sv_live_other_token
```

The `--token` flag takes highest priority, overriding both the env var and
stored JWT.

## Common Mistakes

### CRITICAL Using browser login in CI/CD

Wrong:

```bash
# In CI pipeline
electric auth login  # Hangs waiting for browser interaction!
```

Correct:

```bash
# In CI pipeline
export ELECTRIC_API_TOKEN=sv_live_...
electric projects list  # Works non-interactively
```

`electric auth login` requires an interactive browser. In CI, always use
`ELECTRIC_API_TOKEN` or `--token`.

Source: packages/cli/src/auth.ts

### HIGH Creating tokens with overly broad scopes

Wrong:

```bash
electric auth token create \
  --name "read-only-checker" \
  --scopes v2:projects:read,v2:projects:write,v2:services:read,v2:services:write,v2:services:secrets
```

Correct:

```bash
electric auth token create \
  --name "read-only-checker" \
  --scopes v2:projects:read,v2:services:read
```

Grant only the scopes the token actually needs. Tokens with write or secrets
access can modify or expose resources.

Source: packages/cli/README.md § Creating API tokens

### HIGH Ignoring JWT expiry warnings

Wrong:

```bash
electric auth whoami
# Warning: JWT expires in 2 hours
electric projects list  # Works now, but will fail in CI if cached
```

Correct:

```bash
electric auth whoami
# Warning: JWT expires in 2 hours
electric auth login  # Refresh the JWT
```

Browser JWTs expire after 7 days. The CLI warns 24 hours before expiry. If you
see the warning, re-login to avoid disruption.

Source: packages/cli/src/auth.ts

### MEDIUM Hardcoding tokens in scripts instead of using env vars

Wrong:

```bash
electric projects list --token sv_live_abc123  # Token visible in shell history
```

Correct:

```bash
export ELECTRIC_API_TOKEN=sv_live_abc123  # Or use CI secrets manager
electric projects list
```

Passing tokens via `--token` leaves them in shell history and process listings.
Prefer `ELECTRIC_API_TOKEN` env var, especially in shared environments.

Source: packages/cli/README.md § Environment Variables

## See also

- [getting-started](../getting-started/SKILL.md) — Installation and first deployment
- [claimable-resources](../claimable-resources/SKILL.md) — No-auth provisioning flow

For token command details, run `electric auth token --help`.

## Version

Targets @electric-sql/cli v0.0.8.