CLI authentication

The Anysola CLI uses OAuth 2.0 Device Authorization Grant (RFC 8628). You run anysola login on a server or laptop, approve the request in your browser, and the CLI receives access and refresh tokens.

Device flow

# 1. Start device authorization
curl -X POST https://anysola.com/api/oauth/device \
  -H "Content-Type: application/json" \
  -d '{"client_id":"anysola-cli","cli_label":"prod-server-01"}'

# Response includes device_code, user_code, verification_uri_complete

# 2. Open verification_uri_complete in a browser while signed in to Anysola
#    Select a workspace and click Authorize CLI

# 3. Poll for tokens
curl -X POST https://anysola.com/api/oauth/token \
  -H "Content-Type: application/json" \
  -d '{
    "grant_type":"urn:ietf:params:oauth:grant-type:device_code",
    "device_code":"DEVICE_CODE_FROM_STEP_1"
  }'

# 4. Use the access token
curl https://anysola.com/api/oauth/userinfo \
  -H "Authorization: Bearer ays_oauth_..."

While authorization is pending, the token endpoint returns authorization_pending. Poll every interval seconds (default 5). Respect slow_down if returned.

Refresh tokens

curl -X POST https://anysola.com/api/oauth/token \
  -H "Content-Type: application/json" \
  -d '{
    "grant_type":"refresh_token",
    "refresh_token":"ays_refresh_..."
  }'

Each refresh rotates the refresh token. Store tokens securely on the machine running the CLI.

Revoke

curl -X POST https://anysola.com/api/oauth/revoke \
  -H "Content-Type: application/json" \
  -d '{"token":"ays_refresh_..."}'

Admins can also revoke CLI sessions under Dashboard → Settings → CLI sessions.

Scopes

CLI tokens are bound to a workspace and your member role. Scopes are filtered at approval time:

API key management and team invites remain browser session only — OAuth tokens cannot create API keys or invite members.