Login, Logout, Whoami
Three commands defined incmd/crewship/cmd_login.go cover every way the CLI authenticates against a Crewship server. The token always lands in ~/.crewship/cli-config.yaml; subsequent commands pick it up from there. All three respect --server and --workspace flags for overriding the active profile.
crewship login
Four mutually exclusive modes — pick one. Interactive is the default when no mode flag is set.
| Flag | Type | Default | Effect |
|---|---|---|---|
--token <api-token> | string | (unset) | Non-interactive: validates the token via GET /api/v1/auth/cli-token/validate and saves it. Use this in CI. |
--google | bool | false | Browser-based Google OAuth. Opens /api/v1/auth/google/redirect; after sign-in, you mint a CLI token from Settings → CLI tokens and paste it. Requires GOOGLE_CLIENT_ID on the server. |
--pair | bool | false | Device-code pairing — use with --code XXXX-XXXX from the browser’s onboarding wizard. The code’s TTL is 10 minutes. |
--code <code> | string | (unset) | Pairing code from the browser. Required when --pair is set. |
--adapter <name> | string | (unset) | Optional telemetry hint, one of CLAUDE_CODE, GEMINI_CLI, CODEX_CLI, OPENCODE, CURSOR_CLI, FACTORY_DROID. Server never routes on this — it’s adapter-blind. |
Interactive
/api/auth/callback/credentials → session cookie → POST /api/v1/auth/cli-token to mint a permanent CLI token; falls back to the session token if the CLI-token endpoint isn’t available on an older server).
Token
Google OAuth
Device-code pairing
Targeting a profile
Pass--profile <name> (or set CREWSHIP_PROFILE) to authenticate a named
server profile instead of the top-level config. The minted token
is stored inside that profile. If no default profile is set yet, that
profile also becomes current (logging into another profile later does not
re-point an existing default):
--profile/CREWSHIP_PROFILE, login writes the legacy top-level
server/token fields exactly as before. logout is profile-aware too: it
clears the active profile’s token and leaves sibling profiles signed in.
Common errors
pair: the pair code didn't work — codes expire after 10 minutes— codes have a 10-min TTL. The server intentionally folds wrong code / expired / already consumed into one message to avoid being an enumeration oracle; the most likely cause is the TTL.Google sign-in is not configured on <server>— the server returnedenabled=falsefrom/api/v1/auth/google/status. The operator hasn’t setGOOGLE_CLIENT_ID+GOOGLE_CLIENT_SECRET.refusing to overwrite a malformed file — fix or remove ~/.crewship/cli-config.yaml and retry— the config file exists but isn’t valid YAML. Surfaced explicitly so the CLI doesn’t silently wipe your saved server/workspace.
crewship logout
token field in ~/.crewship/cli-config.yaml. Leaves server and workspace alone so the next crewship login re-uses the same profile without retyping the URL. The token is not revoked on the server — to do that, delete it from Settings → CLI tokens in the web UI (DELETE /api/v1/auth/cli-tokens/{tokenId}).
crewship whoami
GET /api/v1/workspaces plus GET /api/v1/auth/cli-token/validate to print the email, server URL, currently selected workspace (if any), and your role in it. Useful as a CI smoke check (crewship whoami || exit 1) before running a real mutation.
| Flag | Type | Default | Effect |
|---|---|---|---|
--json | bool | false | Emit machine-readable JSON to stdout instead of human-readable text. |
See also
crewship setup— interactive crew bootstrap right after pairing.- Authentication guide — the full identity / session / pairing story.
- Admin CLI —
crewship admin reset-passwordfor the locked-out-of-UI case.