Skip to main content
This page covers gavai login, which opens a browser, runs the OAuth 2.1 + PKCE flow against console.gavai.app, and writes the resulting tokens to ~/.config/gavai/credentials.json. After you run it once on a machine, every other CLI command reads the credentials file and refreshes the access token silently when it expires.

Synopsis

gavai login

Arguments

None.

Flags

The CLI is the source of truth for the current flag set. Run gavai login --help for the authoritative list.

What happens, in order

  1. The CLI starts a local HTTP listener on a random loopback port and generates a PKCE verifier/challenge pair.
  2. Your default browser opens to console.gavai.app with the challenge attached.
  3. You sign in and approve the requested scopes.
  4. The browser redirects to the local listener with an authorization code.
  5. The CLI exchanges the code and verifier for an access token (gst_*) and a refresh token, then writes both to ~/.config/gavai/credentials.json along with expires_at, active_workspace, and endpoint.
The full protocol details live in API authentication.

Examples

Authenticate the current shell:
gavai login
Confirm the session was stored:
gavai whoami
Force a fresh session by deleting the existing credentials first:
gavai logout && gavai login

Exit codes

See CLI overview — exit codes for the full table.

gavai whoami

Verify which user and workspace the new session is bound to.