Authentication
How the trickest CLI authenticates: API tokens, the TRICKEST_TOKEN environment variable, login, and identity checks.
On this page10
Every CLI command acts as you, scoped to your active vault (your organization/workspace). The CLI proves who you are with an API token.
Token precedence
The CLI resolves your token in this order — the environment variable always wins:
TRICKEST_TOKENenvironment variable — preferred for agents, scripts, and CI.- Stored credentials written by
trickest auth login.
export TRICKEST_TOKEN=<your-api-token>trickest auth
Manage authentication.
trickest auth status
Report whether you're authenticated and where the token came from.
trickest auth status{"authenticated":true,"source":"TRICKEST_TOKEN env var","email":"you@org.com","vault":"your-vault"}The source field tells you whether the active token is from the TRICKEST_TOKEN env var or stored config — useful when a stale stored token is shadowing the one you think you're using.
trickest auth whoami
Resolve your identity against the backend.
trickest auth whoami{"email":"you@org.com","vault":"your-vault","source":"env","live":true}"live": true means the CLI actually round-tripped the token to the server (not just read it locally), so a true here is a real connectivity + validity check.
trickest auth login
Authenticate interactively and store the token for future commands.
trickest auth login # prompts for a token
trickest auth login --token <token> # non-interactive
trickest auth login --token-file <path> # read token from a fileYou do not need to run login if TRICKEST_TOKEN is set — the env var is used directly.
trickest auth logout
Clear stored credentials.
trickest auth logoutThis only affects stored credentials; it does not unset TRICKEST_TOKEN in your shell.
Confirming your user identity
auth whoami reports the email/vault. For the canonical user record (including the numeric user id), use:
trickest users me{"id":8,"email":"you@org.com","username":"zaric"}Vaults
Your vault is the scope every command operates within. It is resolved from your
token automatically and stored as auth.vault_id in the CLI config:
trickest config get auth.vault_id
# {"key":"auth.vault_id","value":"e54ccb18-…"}You rarely set this by hand; the token determines it. See Configuration & Context for the full config model.