Log in

Authenticate the CLI against the Tonbo Artifacts orchestrator.

artifacts login

The CLI opens your default browser at https://tonbo.io/login, you sign in, and the browser hands a short-lived authorization back to the CLI on a local callback. Subsequent commands read the saved credentials at ~/.config/artifacts/credentials.json (mode 0600); you don't need to re-authenticate per shell.

Verify

artifacts workspace list
# {"workspaces":[]} on a fresh login

Headless hosts (no browser)

Some environments can't pop a browser — a Fly machine shell, a CI runner, a container with no display. Two options:

Mint a service token from a host that does have a browser
Log in normally on your dev box, then create an art_* key scoped to a single workspace. Service tokens never expire silently and are designed for headless use.
```
artifacts key create --workspace cases --mode rw --ttl 30d --name panta-ci
# Save the art_<...> value; it is only shown once.
```
Use the key as the bearer on the headless host:
```
artifacts login --token "$ARTIFACTS_KEY"
```
See Service tokens for the full pattern.
Or pass --token directly with any bearer
--token accepts either an art_* service token or a Supabase JWT, so anything you paste works. The CLI doesn't try to negotiate a browser flow when --token is supplied.
```
artifacts login --token "$BEARER"
```

Logout

artifacts logout

Removes ~/.config/artifacts/credentials.json. Doesn't touch the BYO credentials cache (separate file at ~/.config/artifacts/byo-credentials); use artifacts storage clear for that.