gavai login, which opens a browser, runs the OAuth 2.1 + PKCE flow against console.gavai.app, and writes the resulting tokens to ~/.config/gavai/credentials.json. After you run it once on a machine, every other CLI command reads the credentials file and refreshes the access token silently when it expires.
Synopsis
Arguments
None.Flags
The CLI is the source of truth for the current flag set. Run
gavai login --help for the authoritative list.What happens, in order
- The CLI starts a local HTTP listener on a random loopback port and generates a PKCE verifier/challenge pair.
- Your default browser opens to
console.gavai.appwith the challenge attached. - You sign in and approve the requested scopes.
- The browser redirects to the local listener with an authorization code.
- The CLI exchanges the code and verifier for an access token (
gst_*) and a refresh token, then writes both to~/.config/gavai/credentials.jsonalong withexpires_at,active_workspace, andendpoint.
Examples
Authenticate the current shell:Exit codes
See CLI overview — exit codes for the full table.gavai whoami
Verify which user and workspace the new session is bound to.