# Auth Commands

Manage authentication for Treasure AI. Supports both browser-based OAuth and API key authentication.

## Commands


```bash
tdx auth                    # Show authentication status
tdx auth status             # Alias for tdx auth
tdx auth setup              # Setup authentication interactively
tdx auth clear              # Remove credentials from system keychain
```

## Auth Status

Display current authentication status and validate credentials:


```bash
tdx auth
tdx auth --profile prod
```

Shows the active profile, credential type (OAuth or API key), and validates by calling the TD API.

## Auth Setup

Interactive authentication setup. Choose between browser-based OAuth (recommended) or API key:


```bash
tdx auth setup
tdx auth setup --site ap01
tdx auth setup --profile prod
tdx auth setup --account-name td7060   # SSO login for a specific account
```

### Browser Sign-in (OAuth)

1. Select your Treasure AI site
2. Choose "Sign in with browser"
3. Optionally enter an account name for SSO routing
4. Browser opens for authentication
5. After login, tokens are saved to system keychain


OAuth tokens are stored securely in the system keychain and used automatically for subsequent commands.

OAuth opens a local callback server on `127.0.0.1:43594` to receive the authorization response. The server times out after 2 minutes.

### API Key

1. Select your Treasure AI site
2. Choose "Use an API key"
3. Enter your API key (found at Console > API Keys)
4. Key is validated and saved to system keychain


## Auth Clear

Remove all credentials (API key and OAuth tokens) from the system keychain:


```bash
tdx auth clear
tdx auth clear --profile prod
```

## Options

| Option | Description |
|  --- | --- |
| `--site <site>` | Target site (us01, ap01, eu01, ap02) |
| `--profile <name>` | Profile to use |
| `--account-name <name>` | Account name for SSO login (auth setup only) |


## Environment Variables

| Variable | Description |
|  --- | --- |
| `TDX_ACCESS_TOKEN` | Access token for Bearer authentication |
| `TDX_ACCESS_TOKEN_<PROFILE>` | Profile-specific access token |
| `TDX_API_KEY` | API key for TD1 authentication |
| `TDX_API_KEY_<PROFILE>` | Profile-specific API key |
| `TD_OAUTH_CLIENT_ID` | Override OAuth client ID (default: `tdx`) |